Date: Tue, 27 May 1997 17:31:27 -0700 (MST) From: Terry Lambert <terry@lambert.org> To: peter@grendel.IAEhv.nl (Peter Korsten) Cc: terry@lambert.org, hackers@FreeBSD.ORG Subject: Re: Correct way to chroot for shell account users? Message-ID: <199705280031.RAA00769@phaeton.artisoft.com> In-Reply-To: <19970527233812.31278@hw.nl> from "Peter Korsten" at May 27, 97 11:38:12 pm
next in thread | previous in thread | raw e-mail | index | archive | help
> > > I don't think you can build a real shell (like sh or csh) and have > > > it run safely inside a chroot environment. Someone (as a matter of > > > fact, the FreeBSD security officer :) ) showed me how to break out > > > of a chroot environment with a simple 'ln' or something like that. > > > > Actually, this problem has to do with namei() and the use of NULL > > to indicate a non-chroot struct file * for the current directory > > for the process. > > No, it really was with some simple /bin commands. No structures > or null pointers were mentoined. You can't get out of a chroot environemnt if namei() won't let you. Hard links aren't allowed on directories, so the only way to lookup out of the chroot'ed hierachy is: 1) fchdir() ...this is supposed to work this way 2) broken namei() symlink and/or ".." traversal behaviour The problem is that namei() is letting you out when it should not be. The implementation detail is the symbolic link rerooting which occurs because of the root dir specification of "null" not being relative to the location. If, on fork(), you define the root dir for all processes to be inherited from the parent, and then initialize init to point at the vnode for "/" instead of NULL, the problem goes away. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199705280031.RAA00769>