From owner-freebsd-security  Fri Nov  1 17:30:42 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id RAA23905
          for security-outgoing; Fri, 1 Nov 1996 17:30:42 -0800 (PST)
Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id RAA23892
          for <freebsd-security@FreeBSD.org>; Fri, 1 Nov 1996 17:30:38 -0800 (PST)
Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id SAA13568; Fri, 1 Nov 1996 18:30:36 -0700 (MST)
Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id SAA23733; Fri, 1 Nov 1996 18:29:43 -0700 (MST)
Date: Fri, 1 Nov 1996 18:29:42 -0700 (MST)
From: Marc Slemko <marcs@znep.com>
X-Sender: marcs@alive.ampr.ab.ca
To: Dev Chanchani <dev@trifecta.com>
cc: freebsd-security@FreeBSD.org
Subject: Re: chroot() security
In-Reply-To: <Pine.BSF.3.91.961101200316.8137A-100000@www.trifecta.com>
Message-ID: <Pine.BSF.3.95.961101181326.22655I-100000@alive.ampr.ab.ca>
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

On Fri, 1 Nov 1996, Dev Chanchani wrote:

> On Fri, 1 Nov 1996, Marc Slemko wrote:
> 
> > Never loose sight of the fact that if someone gets root in the chrooted
> > environment, they have root on the whole machine.  The chrooted
> > environment does not lessen the implications of getting root, it only
> > makes it harder to do so.
> 
> Marc,
> Thanks for the reply.
> Basically, how can someone get out of a chroot()'ed environment is they 
> get root? 

Many, many ways.

> Can they access the filesystem outsite their chroot()'ed 
> directory? I know they can place their own binaries and begin to sniff, 
> etc, but can they easily get out of their environment? Also, can a user 
> access the inode table or does the kernel only access the inode table?

They can do whatever they want; it may take some effort, but not that
much.  Simply getting root does not automatically give access to files
outside the chrooted environment, but it is easy enough to get once you
have root.  For example, from inside the chrooted environment create
/dev/sd0a or whatever the root partition is and then you have full access
to the raw device.  It isn't as easy as just mounting it, since it is
already mounted once, but it is quite easy to do a few minor edits to get
root outside the chrooted environment.  Things like /dev/mem and /dev/kmem
give you access to all the memory on the system.  The user can attach a
debugger to a process running outside the chrooted environment, then
modify it to give them access.  The list goes on and on. 

On most Unixes, if the user has root they have complete control over the
kernel, and FreeBSD is no exception.