[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] /usr/sbin/compartment fails to chroot for non-root user




> -----Original Message-----
> From: Peter Wiersig [mailto:wiersig-ml@xxxxxxxxxxxxx]
> Sent: 21 January 2004 10:11
> To: suse-security@xxxxxxxx
> Subject: Re: [suse-security] /usr/sbin/compartment fails to chroot for
> non-root user
>
>
> Tom Knight wrote:
> >
> > Looking at the file "problem" that strace creates tells me that:
> > <snip>
> > [400e10cd] chroot("/home/update.jail")  = -1 EPERM (Operation
> not permitted)
>
> man 2 chroot:
> SYNOPSIS
>        #include <unistd.h>
>
>        int chroot(const char *path);
>
> DESCRIPTION
>        chroot  changes the root directory to that specified in path.
>        This directory will be used for path names beginning with /.
>        The root directory is inherited by all children of  the
>        current process.
>
>        Only the super-user may change the root directory.
>
> > Any ideas on how to solve this?
>
> Clean programming and suid-binaries.

Okay, obviously you aren't telling me to make chroot suid root,
but what _are_ you telling me?

I'm now trying:
`sudo /usr/bin/chroot /home/update.jail /bin/su -l update`
So my chroot command/shell is `/bin/su -l update`.
My error is now a little more strange, i.e.:
"/bin/su: incorrect password"

Don't tell me I'm typing the incorrect password, I'm not!
* If I try `su update`, then I'm asked for the password, which I type
(correctly), the machine pauses for over a second, then I get the error.
* If I try `sudo /usr/bin/chroot /home/update.jail /bin/su - update` from
the prompt, I'm not asked for the password, I get the error immediately.

The lines in /etc/sudoers read:
localadmin      ALL=(ALL) NOPASSWD: ALL
update  ALL=(ALL)  NOPASSWD: ALL

No, localadmin isn't even in that file normally, I've only added it for
testing - I'm logged in as localadmin when trying to su to update and run
the sudo chroot command.

Obviously, even if this all works, I'll have to leave a copy of su in my
chroot jail. Is this really a good thing?

Tom.





-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here