LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Recent Features

LWN.net Weekly Edition for May 23, 2013

An "enum" for Python 3

An unexpected perf feature

LWN.net Weekly Edition for May 16, 2013

A look at the PyPy 2.0 release

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

The Savannah Compromise - what really happened?

The Savannah Compromise - what really happened?

Posted Jan 2, 2004 4:53 UTC (Fri) by jonabbey (subscriber, #2736)
In reply to: The Savannah Compromise - what really happened? by JoeBuck
Parent article: The Savannah Compromise - what really happened?

Can you explain that? How does one get out of a chroot jail, even with root?

(Log in to post comments)

The Savannah Compromise - what really happened?

Posted Jan 2, 2004 5:20 UTC (Fri) by spotter (subscriber, #12199) [Link]

what does root mean? it means that when you do a ".." it goes to "." instead of the parent directory.

now imagine you are able to call chroot, you can change your "root" to a directory below you. now, any directory you are in is not the root, so ".." will go to the parent of that directory instead of going to "." and therefore you have broken out of the chroot.

I've looked at 2 simple ways around this.

1) every process should have a list of chroot/root points (instead of just one) and whene ever you hit one o those points ".."->"." I broached this idea to the l-k list a year or 2 ago, but people weren't really interested. probably have my code for it lying around somewhere.

or

2) have a filesystem that is aware of chroots, and doesn't let a process walk past any chroot point. since file system's don't know about chroot(), would also need to wrap the chroot() syscall in code that set up the appropriate data structures for the fs. this works because even though ".." links to the parent directory, if the filesystem's permission() function prevents any process (even roots) from walking past a directory, the process is effectively chained in. somewhat of a hack, but it works fine, have code that implements this too.

The Savannah Compromise - what really happened?

Posted Jan 2, 2004 8:07 UTC (Fri) by eru (subscriber, #2753) [Link]

How does FreeBSD:s jail(2) do it? I suppose it fixed the chroot escaping problem.

The Savannah Compromise - what really happened?

Posted Jan 2, 2004 16:03 UTC (Fri) by eru (subscriber, #2753) [Link]

Suppose you just changed the kernel to disable the chroot call for every process (even ones with uid 0) whose current root directory differs from the real root? Would that cause problems to any legitimate applications?

The Savannah Compromise - what really happened?

Posted Jan 4, 2004 6:43 UTC (Sun) by Ross (subscriber, #4065) [Link]

What I wished for was that chroot() would be considered a capability and
that it could be disabled. In fact, capabilities in Linux aren't very
useful because they can only restrict actions that are already reserved
for the superuser. So I can't, for example, say that this process and its
children can't call ptrace(), chroot(), etc.

The Savannah Compromise - what really happened?

Posted Jan 15, 2004 11:51 UTC (Thu) by edmundo (guest, #616) [Link]

Would it help for chroot to take no argument and only chroot to the current directory?

The Savannah Compromise - what really happened?

Posted Jan 2, 2004 5:24 UTC (Fri) by dlang (✭ supporter ✭, #313) [Link]

if you are root inside a chroot jail and the chroot has access to /proc, or anything in the chroot has access to file handles pointing outside the jail, or the system will honor raw access to a device from within that jail then the attacker has a way out of the jail.

the biggest problem is that even if you don't put any software in the chroot the attacker can install their own so they can then issue the mount command (along with the correct device info) to the kernel and the kernel will allow the access becouse you are root.

useing chroot can't prevent an attacker from getting into a system, but it is one more thing that they need to deal with to really get control of the system (and the more you strip down the chroot sandbox the more work it takes to break out and the less vunerable you are to automated attacks)

The Savannah Compromise - what really happened?

Posted Jan 4, 2004 6:45 UTC (Sun) by Ross (subscriber, #4065) [Link]

You are assuming the chroot() area is writable and that the compromized
process is running as root (non-root can not call mount(2)).

Breaking out of a chroot jail

Posted Jan 2, 2004 15:36 UTC (Fri) by LogicG8 (guest, #11076) [Link]

I just happened to be reading about this
so I have a really good url handy.
http://www.bpfh.net/simes/computing/chroot-break.html

Copyright © 2013, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds