1 |
different wrote: |
2 |
> On 16:21 Sun 14 Jun , 7v5w7go9ub0o wrote: |
3 |
>> [... SNIP ...] |
4 |
>> |
5 |
>> Nope.... that's all there is to the wrapper. |
6 |
>> |
7 |
>> gcc runchroot.c -o runchroot chown root runchroot chmod u+s |
8 |
>> runchroot |
9 |
> |
10 |
> Ouch. Do _not_ set the setuid-bit on runchroot. Otherwise it would be |
11 |
> a piece of cake for the intruder to gain root-privileges: |
12 |
> diff@mallory ~ $ ls -l runchroot -rwsr-xr-x 1 root root 7680 Jun 15 |
13 |
> 04:37 runchroot diff@mallory ~ $ ./runchroot -u root -d / -- /bin/sh |
14 |
> # id uid=0(root) gid=0(root) |
15 |
> groups=10(wheel),18(audio),27(video),1000(diff), 1007(qemu) # ls -l |
16 |
> /proc/self/root lrwxrwxrwx 1 root root 0 Jun 15 04:45 /proc/self/root |
17 |
> -> / |
18 |
> |
19 |
> /ck |
20 |
|
21 |
Thank you! for posting this!! |
22 |
|
23 |
TBH, I wondered about this. After updating to 64bit, I compiled |
24 |
runchroot and forgot to do the setuid-bit - yet everything *appears* to |
25 |
work fine; i.e. the user is changed to the designated, unprivileged |
26 |
user; However, I haven't confirmed that the privileges have also been |
27 |
dropped - they *seem* to have been. So I included the setuid advice |
28 |
provided in this link: <http://www.gammon.com.au/forum/?id=885> |
29 |
|
30 |
The source code makes no mention of setuid. |
31 |
|
32 |
Based on your note, I'll continue with a non-setuid setup. :-) |