From owner-freebsd-hackers Tue Jul 28 14:34:35 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id OAA20506 for freebsd-hackers-outgoing; Tue, 28 Jul 1998 14:34:35 -0700 (PDT) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from indigo.ie (nsmart@ts02-119.dublin.indigo.ie [194.125.134.249]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id OAA20368 for ; Tue, 28 Jul 1998 14:33:56 -0700 (PDT) (envelope-from rotel@indigo.ie) Received: (from nsmart@localhost) by indigo.ie (8.8.8/8.8.7) id WAA01426; Tue, 28 Jul 1998 22:28:15 +0100 (IST) (envelope-from rotel@indigo.ie) From: Niall Smart Message-Id: <199807282128.WAA01426@indigo.ie> Date: Tue, 28 Jul 1998 22:28:15 +0000 In-Reply-To: <199807272316.QAA04693@usr05.primenet.com>; Terry Lambert Reply-To: rotel@indigo.ie X-Files: The truth is out there X-Mailer: Mail User's Shell (7.2.6 beta(3) 11/17/96) To: Terry Lambert , n@nectar.com (Jacques Vidrine) Subject: Re: inetd enhancements Cc: hackers@FreeBSD.ORG Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG On Jul 27, 11:16pm, Terry Lambert wrote: } Subject: Re: inetd enhancements > > > Root can escape > > > a chroot jail because of the way the chroot root vnode is (in my > > > opinion) incorrectly set to NULL instead of the real root for the > > > non-chroot case (fixing this would incidently simplify the namei code). > > > > > > The "ftpd" case is especially vulnerable... > > > > I don't follow. Could you give an example scenario of an exploit? > > I spared the list my code for doing this, sending it only to the > questioner. Thank you, Terry. You can also effectively break out of chroot with ptrace. Niall -- Niall Smart, rotel@indigo.ie. Amaze your friends and annoy your enemies: echo '#define if(x) if (!(x))' >> /usr/include/stdio.h To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message