Date: Thu, 29 May 1997 12:49:28 -0700 From: Julian Elischer <julian@whistle.com> To: Warner Losh <imp@village.org> Cc: Terry Lambert <terry@lambert.org>, dec@phoenix.its.rpi.edu, peter@grendel.IAEhv.nl, mrcpu@cdsnet.net, hackers@FreeBSD.ORG Subject: Re: Correct way to chroot for shell account users? Message-ID: <338DDDC8.794BDF32@whistle.com> References: <199705291712.KAA03731@phaeton.artisoft.com> <E0wX9v2-0002xM-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote:
>
> That would likely be the simplest and safest fix. That would make
> chroot jails safer. I don't know if that would fix the jailbreak
> problems completely, but it would be a start. Another "fix" would be
> to disallow chroot when your root directory is "/" (absolute).
>
It is relatively easy and cheap to check if any given directory
is within your chroot hierarchy.
if ( you are chrooted ) {
search backwards towards / for either the real root
or the chroot'd root
if you find the chroot root, return YES
}
return NO
remember that most directoried between an active directory and /
are probably in a cache somewhere. (name or otherwise)
and the test only does expensive work when there SI a chroot directory
so for 99.9% or processes it's not done. (except on anon ftp servers).
this is basically the code in getcwd() with a twist.
julian
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?338DDDC8.794BDF32>