Date: Thu, 19 Jul 2007 20:34:29 +0000 (UTC) From: Stef Walter <stef-list@memberwebs.com> To: Pieter de Boer <pieter@thedarkside.nl> Cc: freebsd-security@freebsd.org Subject: Re: kern.chroot_allow_open_directories Message-ID: <20070719203428.C44AAD4C09@mx.npubs.com> References: <20070717032204.09BA8D4F8E@mx.npubs.com> <469FA0D1.7000304@thedarkside.nl>
next in thread | previous in thread | raw e-mail | index | archive | help
Pieter de Boer wrote: >> Is this sysctl meant to prevent breaking out of a chroot? Or am I >> missing the point of 'kern.chroot_allow_open_directories'? >> > If the sysctl was set to 0 at the moment chroot() was called, then the > chroot() would have failed if the calling process had open directories > (that's what the sysctl is meant to do, if I'm understanding the source > right). If directories weren't open, the chroot() would work, but the > process would obviously not be able to open directories outside the > chroot after that, even if you'd set the sysctl to 1. > > As I see it, there's no problem here, but could be wrong; chroot() is > tricky afaik.. Yes, it sure is. However if a root process inside the chroot jail reset that sysctl, after which it seems it could perform the usual break out thingy: http://www.bpfh.net/simes/computing/chroot-break.html I guess what I was wondering, is if FreeBSD is in fact immune to this attack, and whether it makes sense to chroot superuser processes on FreeBSD. Cheers, Stef
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070719203428.C44AAD4C09>