Date: Tue, 17 Nov 1998 12:09:52 -0800 From: Julian Elischer <julian@whistle.com> To: Eivind Eklund <eivind@yes.no> Cc: Mike Smith <mike@smith.net.au>, Harold Gutch <logix@foobar.franken.de>, zhihuizhang <bf20761@binghamton.edu>, hackers <freebsd-hackers@FreeBSD.ORG> Subject: Re: Question on chroot() Message-ID: <3651D810.42877E5C@whistle.com> References: <19981115200813.B12524@foobar.franken.de> <199811152056.MAA14163@dingo.cdrom.com> <19981117125419.28799@follo.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Eivind Eklund wrote:
>
> On Sun, Nov 15, 1998 at 12:56:03PM -0800, Mike Smith wrote:
> > > On Sun, Nov 15, 1998 at 09:56:32AM -0800, Mike Smith wrote:
> > > > Breaking out of a chroot'ed environment is less easy if you're not
> > > > root
> > > Is this meant to be read as "more or less impossible", that is,
> > > impossible unless the user can become root first (due to insecure
> > > suid-root binaries in the chroot-environment etc.), or can users
> > > really break out in more or less every situation (of course
> > > assuming stuff like that they don't have any open filehandles
> > > pointing to the outside in the beginning).
> >
> > It's quite difficult to break out of a chroot'ed environment, yes, and
> > it's intended to be impossible, so obviously you can only get out
> > through flaws in the implementation...
>
> It is easy if you have root privileges inside the "jail".
>
> /* pseudo-code */
> mkdir("mybreakdir", 0700);
> breakfd = open(".", 0, 0);
> chroot("mybreakdir");
> fchdir(breakfd);
> for (i=0; i<1000; i++)
> chdir("..");
> chroot(".");
I think I posted that a few years ago :)
I looked for it in the archives but couldn't find it..
where was it :-)
>
> I'm not sure if you need the fchdir(); chroot() is not supposed to
> affect your current directory. I don't think anybody has fixed the
> above problem; it seems quite difficult to fix (you have to know which
> FDs are inside and outside the jail, which is non-trivial).
You can test all fds that are directories to see if they are outside the
chroot, and fail the chroot if there are any such.
However it doesn't help because you can fork, open a unix domain socket,
and have the child do the chroot and then have the parent send it
an fd that would have made the chroot fail.
result..
chroot is only useful for friendly or non-root processes.
there could be a few things that would fix this..
e.g. don't allow recursive chroots
but it's trickier than it first appears.
>
> Eivind.
>
> To Unsubscribe: send mail to majordomo@FreeBSD.org
> with "unsubscribe freebsd-hackers" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3651D810.42877E5C>