Date: Mon, 28 Sep 2020 11:50:14 +0200 From: Daniel Ebdrup Jensen <debdrup@FreeBSD.org> To: freebsd-hackers@freebsd.org Subject: Re: Is it possible to exit the chroot(2) environment? Message-ID: <20200928095014.ohhug4amcao4747x@nerd-thinkpad.local> In-Reply-To: <4702ab92-0cee-133d-62c9-1cfa787379e6@freebsd.org> References: <CACNAnaF-psLeTzwk=HygP4ESEynRyR-m62T1FAjw=ON6J2PVTg@mail.gmail.com> <a488f94a-6efc-27f3-d0a4-489f6f99772d@rawbw.com> <CACNAnaG_u1aVRJpKeb9n0rK4UqRRZDGBt7i=iRtPf-7kxqYQBw@mail.gmail.com> <9fa46833-63c2-a77f-98dd-111f6502dc74@rawbw.com> <CACNAnaFqtpDkd76Z3vAUMcCMwTpMyfy91NPyufeVd%2B8UAqZHKQ@mail.gmail.com> <CANCZdfrzCuR4W-JzoFPyW6WCwVJGwQfuesjmCBMRMSnvfXdv7Q@mail.gmail.com> <CACNAnaGgk6NoxD3kXGpbtAZk%2Bbc%2B2XVc%2B1sO06QU1e%2BKp9CZwQ@mail.gmail.com> <3d17ea59-0e85-4e33-f426-deec99f07b83@rawbw.com> <CACNAnaHOWej5XGE4kDgAW_Mo-OR3CDKcFRm3%2Bj6VF=d6_d5qpg@mail.gmail.com> <4702ab92-0cee-133d-62c9-1cfa787379e6@freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
--pawcz25trzurace3 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 27, 2020 at 03:24:05PM -0700, Craig Leres wrote: >Don't forget about fchdir(), I've used it (in non-chroot()) programs=20 >to implement pushd/popd functionality in a recursive function. > > Craig >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" Hi folks, In reading this thread, I was reminded that the jail paper from SANE 2000 [= 1] documents both ".." and fchdir() as well-known methods for escaping, with t= he=20 former being used to escape anonymous ftp access in the ftp daemon. Similar= ily,=20 I also have vague memories of cd / being used to escape chroot. The section also mentions that new code was added to detect and thwart thes= e=20 escapes, so perhaps there is a commit log that would be interesting to look= at? Going back in history a bit, from the 'Special handling for ".."' block in= =20 ufs_nami.c in 4.1cBSD [2], it does seem like chroot wasn't even meant to pr= event=20 escaping in V7, and was noticed as a result of redoing namei() for FFS, and= =20 subsequently fixed - so it may be that other Unix-likes inherited different= =20 logic than the BSDs? [1]: http://www.sane.nl/events/sane2000/papers/kamp.pdf [2]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=3D4.1cBSD/a/sys/sys/ufs_= nami.c --pawcz25trzurace3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEDonNJPbg/JLIMoS6Ps5hSHzN87oFAl9xsdZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDBF ODlDRDI0RjZFMEZDOTJDODMyODRCQTNFQ0U2MTQ4N0NDREYzQkEACgkQPs5hSHzN 87r22gf7Bo43VC6Lt+lpwZgLniW5VHn2/WaBVZfmmNy38BXxA+qwKTnLz1RxjRNb vQh4Qga6t941MpIZV4+SbjdLkSa2xixcX0BerQJGX0AsSM6LnDM5WLDf1gHui+GF sVDF8yo/6Mmy4Lh9jJ+xWci49HF+eZ5uMsWzGp0sK0WcJJgC0qHGPt6QP/P980on VmuXasI3ZXdfHlMSCGWiB/kyOB5NF2h9AzUXG7NZ5FL3MLgIkQ5uNna0r6WzOHV8 rdKJKaBh+25g0QVKnhI9u8hTImgEJDNDybX0cTwFPNB/HOrmKz6osN+DkW8/7cvx 5R/yxBNHnUk02A1u93fijKfc+fJzVw== =XFBY -----END PGP SIGNATURE----- --pawcz25trzurace3--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200928095014.ohhug4amcao4747x>