From owner-freebsd-security  Fri Nov  1 21:21:11 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id VAA27582
          for security-outgoing; Fri, 1 Nov 1996 21:21:11 -0800 (PST)
Received: from genesis.atrad.adelaide.edu.au (genesis.atrad.adelaide.edu.au [129.127.96.120])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA27563
          for <freebsd-security@FreeBSD.org>; Fri, 1 Nov 1996 21:21:05 -0800 (PST)
Received: from msmith@localhost by genesis.atrad.adelaide.edu.au (8.6.12/8.6.9) id PAA06652; Sat, 2 Nov 1996 15:50:45 +1030
From: Michael Smith <msmith@atrad.adelaide.edu.au>
Message-Id: <199611020520.PAA06652@genesis.atrad.adelaide.edu.au>
Subject: Re: chroot() security
To: dev@trifecta.com (Dev Chanchani)
Date: Sat, 2 Nov 1996 15:50:45 +1030 (CST)
Cc: marcs@znep.com, freebsd-security@FreeBSD.org
In-Reply-To: <Pine.BSF.3.91.961101200316.8137A-100000@www.trifecta.com> from "Dev Chanchani" at Nov 1, 96 08:04:43 pm
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@FreeBSD.org
X-Loop: FreeBSD.org
Precedence: bulk

Dev Chanchani stands accused of saying:
>
> Basically, how can someone get out of a chroot()'ed environment is they 
> get root? Can they access the filesystem outsite their chroot()'ed 
> directory? I know they can place their own binaries and begin to sniff, 
> etc, but can they easily get out of their environment? Also, can a user 
> access the inode table or does the kernel only access the inode table?

Depending on how the filesystem they're in is mounted, one quick way out
is to make some device nodes that reference the system's disks (rememeber,
a little bit out redirection sleight-of-hand and they can upload any
binary they like).

Alternatively, they can make themselves a nuisance by shooting down other
processes, rebooting the machine, you name it.

-- 
]] Mike Smith, Software Engineer        msmith@gsoft.com.au             [[
]] Genesis Software                     genesis@gsoft.com.au            [[
]] High-speed data acquisition and      (GSM mobile)     0411-222-496   [[
]] realtime instrument control.         (ph)          +61-8-8267-3493   [[
]] Unix hardware collector.             "Where are your PEZ?" The Tick  [[