From owner-freebsd-hackers@freebsd.org Mon Sep 28 09:50:17 2020 Return-Path: Delivered-To: freebsd-hackers@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 524643FD21C for ; Mon, 28 Sep 2020 09:50:17 +0000 (UTC) (envelope-from debdrup@freebsd.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2610:1c1:1:6074::16:84]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "freefall.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4C0HnP1QHyz48BQ for ; Mon, 28 Sep 2020 09:50:17 +0000 (UTC) (envelope-from debdrup@freebsd.org) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1601286617; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=JdO1VJ+6jJ5mfArGbPc0Ipfo0EhYHF7ZqHexhxysBxk=; b=tJ3CA3y5v6eTxz7EQz82wIyWJD7xNurAUF5OGpBSMy9BNwEgQpv2jVLLFVdKhhhRwnhnEH tE9lDXrMu75XRWFp+ssyfVDBBurrpIcBKFxWRlk7SZ9x8mn8iS9q9ApIHWNt85SKxxRimn g4hhbGXT+JHtAjl6pRcehwEKF3u9cFOxniyiSXHw/6psg3v5SQH0sbDXfYFS6J/ws248xo hid/oa+BeGAExI640pURcKusKS1TfB2u32t8FopTfz4uNLYOOLfI/T8f5whx1xdJnM9uad vWotAiSbZfVx/bFpAcsb5SwBOH08x5DZgDQ0N4AL+Is1X+BYwJuVSjdqhXIzAg== Received: by freefall.freebsd.org (Postfix, from userid 1471) id 20B40DBB3; Mon, 28 Sep 2020 09:50:17 +0000 (UTC) Date: Mon, 28 Sep 2020 11:50:14 +0200 From: Daniel Ebdrup Jensen To: freebsd-hackers@freebsd.org Subject: Re: Is it possible to exit the chroot(2) environment? Message-ID: <20200928095014.ohhug4amcao4747x@nerd-thinkpad.local> Mail-Followup-To: Daniel Ebdrup Jensen , freebsd-hackers@freebsd.org References: <9fa46833-63c2-a77f-98dd-111f6502dc74@rawbw.com> <3d17ea59-0e85-4e33-f426-deec99f07b83@rawbw.com> <4702ab92-0cee-133d-62c9-1cfa787379e6@freebsd.org> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="pawcz25trzurace3" Content-Disposition: inline In-Reply-To: <4702ab92-0cee-133d-62c9-1cfa787379e6@freebsd.org> ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim; t=1601286617; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=JdO1VJ+6jJ5mfArGbPc0Ipfo0EhYHF7ZqHexhxysBxk=; b=RSCj9z9Z12+KbBzcBqJKSKc3gsKVEobkYmhA+aFB2r/1/kCmJCrh8x5uKCcqUEkSdui/jG ZYS8sq3LyLrOt8XrHwJyqtIom7N/ryNMhaOQFlByJWRz97u9lVK55L011LyhTpkOa0tBYJ wkAiNCFkxvQkk+kdel9PqWf/ax+51FJ6n9ik2UQV3QzDdSPkDjKu7pVtd7ZXSye7GK1ynw Vce4fj/OCgmZMEYon6uHQJypxoR98pKmRUZ5py0wBlE+JESrd5c0EhFHvXFC3F5DzyQ9uP 5v5Tcknm7NlDlud6OLYzDT9xOLeGPZluKqB2LHuqfmSynmDzQTGm1Wmsk8b8hw== ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1601286617; a=rsa-sha256; cv=none; b=oZgeJdO5+NA0Mi/8nOHlKX3XIDPX6zALRjI7PNczfderpTQUTkCCwivZK4giG1OqWFhTpZ uW3xJbLYhIOt/C2NsVXB86xbcdxcVRi12YAsyuCrB3yP5NGXyVkMb8QhJEMtB46j9qv5pa n8ACpJ4DxjpHrri0f077LdQyznJaGLkB+mNpl2It6y89NAgmDIUL430btRmbs8lNEKfXme h3PpHXrS5RnT2nS7gwIrhi2niVojlc7w4YVTf3mfVcH39KHjatrWRQe5GovovYKLmblQLt Wvdm4KVpf30/O2V93oaVX81kstdcYl/xkh8LrsyYb2O6ArgRiMwGr/5FR3JUUg== ARC-Authentication-Results: i=1; mx1.freebsd.org; none X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 28 Sep 2020 09:50:17 -0000 --pawcz25trzurace3 Content-Type: text/plain; charset=us-ascii; format=flowed Content-Disposition: inline Content-Transfer-Encoding: quoted-printable On Sun, Sep 27, 2020 at 03:24:05PM -0700, Craig Leres wrote: >Don't forget about fchdir(), I've used it (in non-chroot()) programs=20 >to implement pushd/popd functionality in a recursive function. > > Craig >_______________________________________________ >freebsd-hackers@freebsd.org mailing list >https://lists.freebsd.org/mailman/listinfo/freebsd-hackers >To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org" Hi folks, In reading this thread, I was reminded that the jail paper from SANE 2000 [= 1] documents both ".." and fchdir() as well-known methods for escaping, with t= he=20 former being used to escape anonymous ftp access in the ftp daemon. Similar= ily,=20 I also have vague memories of cd / being used to escape chroot. The section also mentions that new code was added to detect and thwart thes= e=20 escapes, so perhaps there is a commit log that would be interesting to look= at? Going back in history a bit, from the 'Special handling for ".."' block in= =20 ufs_nami.c in 4.1cBSD [2], it does seem like chroot wasn't even meant to pr= event=20 escaping in V7, and was noticed as a result of redoing namei() for FFS, and= =20 subsequently fixed - so it may be that other Unix-likes inherited different= =20 logic than the BSDs? [1]: http://www.sane.nl/events/sane2000/papers/kamp.pdf [2]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=3D4.1cBSD/a/sys/sys/ufs_= nami.c --pawcz25trzurace3 Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQGTBAABCgB9FiEEDonNJPbg/JLIMoS6Ps5hSHzN87oFAl9xsdZfFIAAAAAALgAo aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDBF ODlDRDI0RjZFMEZDOTJDODMyODRCQTNFQ0U2MTQ4N0NDREYzQkEACgkQPs5hSHzN 87r22gf7Bo43VC6Lt+lpwZgLniW5VHn2/WaBVZfmmNy38BXxA+qwKTnLz1RxjRNb vQh4Qga6t941MpIZV4+SbjdLkSa2xixcX0BerQJGX0AsSM6LnDM5WLDf1gHui+GF sVDF8yo/6Mmy4Lh9jJ+xWci49HF+eZ5uMsWzGp0sK0WcJJgC0qHGPt6QP/P980on VmuXasI3ZXdfHlMSCGWiB/kyOB5NF2h9AzUXG7NZ5FL3MLgIkQ5uNna0r6WzOHV8 rdKJKaBh+25g0QVKnhI9u8hTImgEJDNDybX0cTwFPNB/HOrmKz6osN+DkW8/7cvx 5R/yxBNHnUk02A1u93fijKfc+fJzVw== =XFBY -----END PGP SIGNATURE----- --pawcz25trzurace3--