Skip site navigation (1)Skip section navigation (2) 
Date:      Fri, 10 Aug 2007 14:01:22 +0200
From:      Pawel Jakub Dawidek <pjd@FreeBSD.org>
To:        stef@memberwebs.com
Cc:        freebsd-security@freebsd.org, Pieter de Boer <pieter@thedarkside.nl>
Subject:   Re: kern.chroot_allow_open_directories
Message-ID:  <20070810120122.GF12687@garage.freebsd.pl>
In-Reply-To: <20070719203428.C44AAD4C09@mx.npubs.com>
References:  <20070717032204.09BA8D4F8E@mx.npubs.com> <469FA0D1.7000304@thedarkside.nl> <20070719203428.C44AAD4C09@mx.npubs.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

--p7qwJlK53pWzbayA
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Thu, Jul 19, 2007 at 08:34:29PM +0000, Stef Walter wrote:
> Pieter de Boer wrote:
> >> Is this sysctl meant to prevent breaking out of a chroot? Or am I
> >> missing the point of 'kern.chroot_allow_open_directories'?
> >>
> > If the sysctl was set to 0 at the moment chroot() was called, then the
> > chroot() would have failed if the calling process had open directories
> > (that's what the sysctl is meant to do, if I'm understanding the source
> > right). If directories weren't open, the chroot() would work, but the
> > process would obviously not be able to open directories outside the
> > chroot after that, even if you'd set the sysctl to 1.
> >=20
> > As I see it, there's no problem here, but could be wrong; chroot() is
> > tricky afaik..
>=20
> Yes, it sure is.
>=20
> However if a root process inside the chroot jail reset that sysctl,
> after which it seems it could perform the usual break out thingy:
>=20
> http://www.bpfh.net/simes/computing/chroot-break.html
>=20
> I guess what I was wondering, is if FreeBSD is in fact immune to this
> attack, and whether it makes sense to chroot superuser processes on FreeB=
SD.

Superuser running inside chroot(2) has many ways to escape. You
bascially gain no additional security in chrooting a process that will
continue to operate with privileges.
You should either chroot and drop privileges or use jail(2).

--=20
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd@FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!

--p7qwJlK53pWzbayA
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.4 (FreeBSD)

iD8DBQFGvFOSForvXbEpPzQRAl13AJ0fz3GK8itPktD0MXLBOmRjMv7d1ACg8toF
oAiKbqMRJJsLQUcK7EP01rM=
=BJNN
-----END PGP SIGNATURE-----

--p7qwJlK53pWzbayA--

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070810120122.GF12687>