From owner-freebsd-hackers Thu May 29 12:44:32 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.5/8.8.5) id MAA04914 for hackers-outgoing; Thu, 29 May 1997 12:44:32 -0700 (PDT) Received: from punt-2.mail.demon.net (relay-11.mail.demon.net [194.217.242.137]) by hub.freebsd.org (8.8.5/8.8.5) with SMTP id MAA04907 for ; Thu, 29 May 1997 12:44:26 -0700 (PDT) Received: from erlenstar.demon.co.uk ([194.222.144.22]) by punt-2.mail.demon.net id aa1108508; 29 May 97 17:13 BST Received: (from andrew@localhost) by erlenstar.demon.co.uk (8.8.5/8.8.5) id RAA16018; Thu, 29 May 1997 17:12:55 +0100 (BST) To: Terry Lambert Cc: Warner Losh , hackers@freebsd.org Subject: Re: Correct way to chroot for shell account users? References: <199705291456.HAA03526@phaeton.artisoft.com> From: Andrew Gierth In-Reply-To: Terry Lambert's message of Thu, 29 May 1997 07:56:26 -0700 (MST) X-Mayan-Date: Long count = 12.19.4.3.13; tzolkin = 11 Ben; haab = 11 Zip X-Attribution: AG Date: 29 May 1997 17:12:54 +0100 Message-ID: <8767w2p88p.fsf@erlenstar.demon.co.uk> Lines: 56 X-Mailer: Gnus v5.3/Emacs 19.34 Sender: owner-hackers@freebsd.org X-Loop: FreeBSD.org Precedence: bulk [CC list reduced] >>>>> "Terry" == Terry Lambert writes: [Warner Losh] >> Basically, and this has been posted in many places, you get a >> handle on something outside the jail. You do this by basically >> opening '/', mkdir xxx, chroot xxx, then fchdir to the old '/' and >> then chdir '..'. There are things that can be done in the kernel, >> but they are either very expensive or very hard to get right (and >> not break anything) or both. There's another, simpler, way that doesn't need a handle on '/'. Terry> I really don't see how either of these could possibly work, Terry> given: Terry> 1) namei() refusing to traverse ".." from the chroot'ed root Terry> vnode (this is broken, but then almost all of namei() is Terry> broken, and no one cares but me...). Terry> 2) The chroot() call takes a path, which namei() will look up Terry> relative Terry> 3) The link() system call in /sys/kern/vfs_syscalls.c has code Terry> to prevent hard links on directories: That's what he meant by "However, the ln step is no longer allowed"... Terry> 4) You don't have to let them have an open fd to the original Terry> "/" when you throw them in jail. Not needed. The simpler way (which relies on standards-compliant behaviour of chroot(), which must not change the current directory) is simply to do: mkdir("xxx"); chroot("xxx"); /* note: "." is *outside* the root subtree at this point */ for (i = 0; i < 1000; i++) chdir(".."); chroot("."); and you're out. Terry> 5) Calling chroot(2) is restricted to the superuser anyway, Terry> and only an idiot would try to put a root user in a chroot Terry> jail anyway (or put an ordinary user in a chroot jail with Terry> suid/sgid binaries). Exactly. -- Andrew.