Date: Wed, 28 May 1997 22:57:47 -0600 From: Warner Losh <imp@village.org> To: "David E. Cross" <dec@phoenix.its.rpi.edu> Cc: Peter Korsten <peter@grendel.IAEhv.nl>, Jaye Mathisen <mrcpu@cdsnet.net>, hackers@freebsd.org Subject: Re: Correct way to chroot for shell account users? Message-ID: <E0wWxHX-0002Fs-00@rover.village.org> In-Reply-To: Your message of "Thu, 29 May 1997 00:41:43 EDT." <Pine.BSF.3.95q.970529004028.7640A-100000@phoenix.its.rpi.edu> References: <Pine.BSF.3.95q.970529004028.7640A-100000@phoenix.its.rpi.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <Pine.BSF.3.95q.970529004028.7640A-100000@phoenix.its.rpi.edu> "David E. Cross" writes: : Could someone give me some simple details of how to break out of a chroot : 'jail' (without relying on kernfs or raw devices), I have heard of this : before, but no one has given me a theory or code of how to do it. Basically, and this has been posted in many places, you get a handle on something outside the jail. You do this by basically opening '/', mkdir xxx, chroot xxx, then fchdir to the old '/' and then chdir '..'. There are things that can be done in the kernel, but they are either very expensive or very hard to get right (and not break anything) or both. A simple fix is to disallow a chroot when someone has already been chroot'd. This break symetry, but doesn't completely solve the problem because there are many other ways out (that aren't on the top of my head). Hmmm, writing this up, I realized what the ln way was. If you are in a chroot jail, you mkdir xxx; ln xxx/yyy /; chroot xxx; cd yyy; cd .. ; ... and you are out. However, the ln step is no longer allowed since it is hard linking directories together, which is bad for other reasons. Warner
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0wWxHX-0002Fs-00>