Skip site navigation (1)Skip section navigation (2) 
Date:      29 May 1997 17:12:54 +0100
From:      Andrew Gierth <andrew@erlenstar.demon.co.uk>
To:        Terry Lambert <terry@lambert.org>
Cc:        Warner Losh <imp@village.org>, hackers@freebsd.org
Subject:   Re: Correct way to chroot for shell account users?
Message-ID:  <8767w2p88p.fsf@erlenstar.demon.co.uk>
In-Reply-To: Terry Lambert's message of Thu, 29 May 1997 07:56:26 -0700 (MST)
References:  <199705291456.HAA03526@phaeton.artisoft.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

[CC list reduced]

>>>>> "Terry" == Terry Lambert <terry@lambert.org> writes:

 [Warner Losh]
 >> Basically, and this has been posted in many places, you get a
 >> handle on something outside the jail.  You do this by basically
 >> opening '/', mkdir xxx, chroot xxx, then fchdir to the old '/' and
 >> then chdir '..'.  There are things that can be done in the kernel,
 >> but they are either very expensive or very hard to get right (and
 >> not break anything) or both.

There's another, simpler, way that doesn't need a handle on '/'.
 
 Terry> I really don't see how either of these could possibly work,
 Terry> given:

 Terry> 1) namei() refusing to traverse ".." from the chroot'ed root
 Terry> vnode (this is broken, but then almost all of namei() is
 Terry> broken, and no one cares but me...).

 Terry> 2) The chroot() call takes a path, which namei() will look up
 Terry> relative

 Terry> 3) The link() system call in /sys/kern/vfs_syscalls.c has code
 Terry> to prevent hard links on directories:

That's what he meant by "However, the ln step is no longer allowed"...

 Terry> 4) You don't have to let them have an open fd to the original
 Terry> "/" when you throw them in jail.

Not needed.

The simpler way (which relies on standards-compliant behaviour of
chroot(), which must not change the current directory) is simply
to do:

  mkdir("xxx");
  chroot("xxx");
  /* note: "." is *outside* the root subtree at this point */
  for (i = 0; i < 1000; i++)
    chdir("..");
  chroot(".");

and you're out.

 Terry> 5) Calling chroot(2) is restricted to the superuser anyway,
 Terry> and only an idiot would try to put a root user in a chroot
 Terry> jail anyway (or put an ordinary user in a chroot jail with
 Terry> suid/sgid binaries).

Exactly.

-- 
Andrew.

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?8767w2p88p.fsf>