From owner-freebsd-hackers Tue May 27 17:32:25 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id RAA11733 for hackers-outgoing; Tue, 27 May 1997 17:32:25 -0700 (PDT) Received: from phaeton.artisoft.com (phaeton.Artisoft.COM [198.17.250.50]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id RAA11728 for ; Tue, 27 May 1997 17:32:22 -0700 (PDT) Received: (from terry@localhost) by phaeton.artisoft.com (8.6.11/8.6.9) id RAA00769; Tue, 27 May 1997 17:31:27 -0700 From: Terry Lambert Message-Id: <199705280031.RAA00769@phaeton.artisoft.com> Subject: Re: Correct way to chroot for shell account users? To: peter@grendel.IAEhv.nl (Peter Korsten) Date: Tue, 27 May 1997 17:31:27 -0700 (MST) Cc: terry@lambert.org, hackers@FreeBSD.ORG In-Reply-To: <19970527233812.31278@hw.nl> from "Peter Korsten" at May 27, 97 11:38:12 pm X-Mailer: ELM [version 2.4 PL24] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-hackers@FreeBSD.ORG X-Loop: FreeBSD.org Precedence: bulk > > > I don't think you can build a real shell (like sh or csh) and have > > > it run safely inside a chroot environment. Someone (as a matter of > > > fact, the FreeBSD security officer :) ) showed me how to break out > > > of a chroot environment with a simple 'ln' or something like that. > > > > Actually, this problem has to do with namei() and the use of NULL > > to indicate a non-chroot struct file * for the current directory > > for the process. > > No, it really was with some simple /bin commands. No structures > or null pointers were mentoined. You can't get out of a chroot environemnt if namei() won't let you. Hard links aren't allowed on directories, so the only way to lookup out of the chroot'ed hierachy is: 1) fchdir() ...this is supposed to work this way 2) broken namei() symlink and/or ".." traversal behaviour The problem is that namei() is letting you out when it should not be. The implementation detail is the symbolic link rerooting which occurs because of the root dir specification of "null" not being relative to the location. If, on fork(), you define the root dir for all processes to be inherited from the parent, and then initialize init to point at the vnode for "/" instead of NULL, the problem goes away. Terry Lambert terry@lambert.org --- Any opinions in this posting are my own and not those of my present or previous employers.