From owner-freebsd-security Mon Sep 27 13:39:13 1999 Delivered-To: freebsd-security@freebsd.org Received: from tinker.com (troll.tinker.com [204.214.7.146]) by hub.freebsd.org (Postfix) with ESMTP id 37F4814D0E; Mon, 27 Sep 1999 13:39:04 -0700 (PDT) (envelope-from carol@tinker.com) Received: by localhost (8.8.5/8.8.5) Received: by mail.tinker.com via smap (V2.0) id xma012399; Mon Sep 27 15:16:02 1999 Received: by localhost (8.8.8/8.8.8) id PAA13704; Mon, 27 Sep 1999 15:38:09 -0500 (CDT) Message-ID: <37EFD593.A6900748@tinker.com> Date: Mon, 27 Sep 1999 15:37:39 -0500 From: Carol Deihl Organization: Shrier and Deihl X-Mailer: Mozilla 4.5 [en] (X11; U; FreeBSD 2.2.8-RELEASE i386) X-Accept-Language: en MIME-Version: 1.0 To: trouble@hackfurby.com Cc: freebsd-security@FreeBSD.ORG, freebsd-hackers@FreeBSD.ORG Subject: Re: chroot could chdir? (was Re: about jail) References: <199909251302.RAA58030@grendel.sovlink.ru> <19990925171712.A80535@zenon.net> <37EEA27E.244DCF9A@tinker.com> <37F00602.96D098D3@hackfurby.com> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Hello, I was referring to the practice of chdir-ing to someplace within the chrooted area right *after* doing the chroot, before doing anything else. Otherwise, the current working directory may be pointing to a directory *outside* the chrooted area. Of course, if you set the current working directory to someplace inside the chrooted area *before* doing the chroot, that's fine too. However, it is a danger that some programmers are not careful (or are malicious), and neither set an appropriate current dir before chrooting, nor afterwards. Since this allows one to break out of a chrooted area, I'm looking for a solution to this security problem. Carol TrouBle wrote: > > Ummm sorry but i think you have goten this backwards it is more secure to > chdir, then chrrot, not chroot then chdir.... I believe what you have here is > backwards > > > > > As we all know, the chroot can be escaped because the sample > > program doesn't change the current working directory, and it's > > still pointing outside the chrooted area. > > > > What if chroot itself chdir'ed to it's new root directory? Would > > this break existing programs? I'd expect that well-behaved > > programs would chdir someplace useful before continuing anyway. > > > > At the very end of chroot(), could it just > > vrele(fdp->fd_cdir); > > fdp->fd_cdir = nd.ni_vp; > > before it returns, setting the current dir to the same place it > > just chrooted to? -- Carol Deihl - principal, Shrier and Deihl - mailto:carol@tinker.com Remote Unix Network Admin, Security, Internet Software Development Tinker Internet Services - Superior FreeBSD-based Web Hosting http://www.tinker.com/ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message