Date: Fri, 1 Nov 1996 18:29:42 -0700 (MST) From: Marc Slemko <marcs@znep.com> To: Dev Chanchani <dev@trifecta.com> Cc: freebsd-security@FreeBSD.org Subject: Re: chroot() security Message-ID: <Pine.BSF.3.95.961101181326.22655I-100000@alive.ampr.ab.ca> In-Reply-To: <Pine.BSF.3.91.961101200316.8137A-100000@www.trifecta.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, 1 Nov 1996, Dev Chanchani wrote: > On Fri, 1 Nov 1996, Marc Slemko wrote: > > > Never loose sight of the fact that if someone gets root in the chrooted > > environment, they have root on the whole machine. The chrooted > > environment does not lessen the implications of getting root, it only > > makes it harder to do so. > > Marc, > Thanks for the reply. > Basically, how can someone get out of a chroot()'ed environment is they > get root? Many, many ways. > Can they access the filesystem outsite their chroot()'ed > directory? I know they can place their own binaries and begin to sniff, > etc, but can they easily get out of their environment? Also, can a user > access the inode table or does the kernel only access the inode table? They can do whatever they want; it may take some effort, but not that much. Simply getting root does not automatically give access to files outside the chrooted environment, but it is easy enough to get once you have root. For example, from inside the chrooted environment create /dev/sd0a or whatever the root partition is and then you have full access to the raw device. It isn't as easy as just mounting it, since it is already mounted once, but it is quite easy to do a few minor edits to get root outside the chrooted environment. Things like /dev/mem and /dev/kmem give you access to all the memory on the system. The user can attach a debugger to a process running outside the chrooted environment, then modify it to give them access. The list goes on and on. On most Unixes, if the user has root they have complete control over the kernel, and FreeBSD is no exception.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.3.95.961101181326.22655I-100000>