[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [suse-security] /usr/sbin/compartment fails to chroot for non-root user




> -----Original Message-----
> From: Tom Knight [mailto:thomas.knight@xxxxxxxxxx]
> Sent: 21 January 2004 10:53
> To: suse-security@xxxxxxxx
> Subject: RE: [suse-security] /usr/sbin/compartment fails to chroot for
> non-root user
> 
> 
> 
> 
> > -----Original Message-----
> > From: Peter Wiersig [mailto:wiersig-ml@xxxxxxxxxxxxx]
> > Sent: 21 January 2004 10:11
> > To: suse-security@xxxxxxxx
> > Subject: Re: [suse-security] /usr/sbin/compartment fails to chroot for
> > non-root user
> >
> >
> > Tom Knight wrote:
> > >
> > > Looking at the file "problem" that strace creates tells me that:
> > > <snip>
> > > [400e10cd] chroot("/home/update.jail")  = -1 EPERM (Operation
> > not permitted)
> >
> > man 2 chroot:
> > SYNOPSIS
> >        #include <unistd.h>
> >
> >        int chroot(const char *path);
> >
> > DESCRIPTION
> >        chroot  changes the root directory to that specified in path.
> >        This directory will be used for path names beginning with /.
> >        The root directory is inherited by all children of  the
> >        current process.
> >
> >        Only the super-user may change the root directory.
> >
> > > Any ideas on how to solve this?
> >
> > Clean programming and suid-binaries.
> 
> Okay, obviously you aren't telling me to make chroot suid root,
> but what _are_ you telling me?
> 
> I'm now trying:
> `sudo /usr/bin/chroot /home/update.jail /bin/su -l update`
> So my chroot command/shell is `/bin/su -l update`.
> My error is now a little more strange, i.e.:
> "/bin/su: incorrect password"

Argh, I'm using PAM.
I don't think I want to include a working PAM config into 
my chroot jail so I'll either have to recompile su or not
use it.

Again, is su something I really want in my chroot jail anyway?

Tom.

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here