Date: Thu, 19 Jul 2007 20:34:29 +0000 (UTC) From: Stef Walter <stef-list@memberwebs.com> To: Pieter de Boer <pieter@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: kern.chroot_allow_open_directories Message-ID: <20070719203428.C44AAD4C09@mx.npubs.com> References: <20070717032204.09BA8D4F8E@mx.npubs.com> <469FA0D1.7000304@thedarkside.nl>
index | next in thread | previous in thread | raw e-mail
Pieter de Boer wrote: >> Is this sysctl meant to prevent breaking out of a chroot? Or am I >> missing the point of 'kern.chroot_allow_open_directories'? >> > If the sysctl was set to 0 at the moment chroot() was called, then the > chroot() would have failed if the calling process had open directories > (that's what the sysctl is meant to do, if I'm understanding the source > right). If directories weren't open, the chroot() would work, but the > process would obviously not be able to open directories outside the > chroot after that, even if you'd set the sysctl to 1. > > As I see it, there's no problem here, but could be wrong; chroot() is > tricky afaik.. Yes, it sure is. However if a root process inside the chroot jail reset that sysctl, after which it seems it could perform the usual break out thingy: http://www.bpfh.net/simes/computing/chroot-break.html I guess what I was wondering, is if FreeBSD is in fact immune to this attack, and whether it makes sense to chroot superuser processes on FreeBSD. Cheers, Stefhome | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070719203428.C44AAD4C09>