Not logged in
Log in now
Create an account
Subscribe to LWN
LWN.net Weekly Edition for May 16, 2013
A look at the PyPy 2.0 release
PostgreSQL 9.3 beta: Federated databases and more
LWN.net Weekly Edition for May 9, 2013
(Nearly) full tickless operation in 3.10
Can you explain that? How does one get out of a chroot jail, even with root?
The Savannah Compromise - what really happened?
Posted Jan 2, 2004 5:20 UTC (Fri) by spotter (subscriber, #12199)
now imagine you are able to call chroot, you can change your "root" to a directory below you. now, any directory you are in is not the root, so ".." will go to the parent of that directory instead of going to "." and therefore you have broken out of the chroot.
I've looked at 2 simple ways around this.
1) every process should have a list of chroot/root points (instead of just one) and whene ever you hit one o those points ".."->"." I broached this idea to the l-k list a year or 2 ago, but people weren't really interested. probably have my code for it lying around somewhere.
2) have a filesystem that is aware of chroots, and doesn't let a process walk past any chroot point. since file system's don't know about chroot(), would also need to wrap the chroot() syscall in code that set up the appropriate data structures for the fs. this works because even though ".." links to the parent directory, if the filesystem's permission() function prevents any process (even roots) from walking past a directory, the process is effectively chained in. somewhat of a hack, but it works fine, have code that implements this too.
Posted Jan 2, 2004 8:07 UTC (Fri) by eru (subscriber, #2753)
Posted Jan 2, 2004 16:03 UTC (Fri) by eru (subscriber, #2753)
Posted Jan 4, 2004 6:43 UTC (Sun) by Ross (subscriber, #4065)
Posted Jan 15, 2004 11:51 UTC (Thu) by edmundo (guest, #616)
Posted Jan 2, 2004 5:24 UTC (Fri) by dlang (✭ supporter ✭, #313)
the biggest problem is that even if you don't put any software in the chroot the attacker can install their own so they can then issue the mount command (along with the correct device info) to the kernel and the kernel will allow the access becouse you are root.
useing chroot can't prevent an attacker from getting into a system, but it is one more thing that they need to deal with to really get control of the system (and the more you strip down the chroot sandbox the more work it takes to break out and the less vunerable you are to automated attacks)
Posted Jan 4, 2004 6:45 UTC (Sun) by Ross (subscriber, #4065)
Breaking out of a chroot jail
Posted Jan 2, 2004 15:36 UTC (Fri) by LogicG8 (guest, #11076)
Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds