Effective root environments

Trusted programs frequently rely on correct absolute pathnames. For example, the login program relies on the /etc/security/passwd file to be the correct shadow password file.

This includes not only data files, but also the executable files for trusted programs. While an untrusted program cannot use the chroot system call to directly change the program's effective root directory, there may be situations in which the TCB allows untrusted programs to run under an effective root. There are potential security problems if these untrusted programs can execute a trusted program that relies on an absolute pathname.