[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: apt-get and The_User

Ethan Benson <erbenson@alaska.net> writes:

> im going on memory and im not terribly familier with all the syscalls,
> but the basic jist is doing an fchdir() to a directory under the
> current chroot, so if you can chroot down one more level then fchdir
> back up you have effectively broken the chroot().

> say your chrooted to /chroot
> 
> you see in your chroot jail:
> 
> /foo/bar/ (both directories)
>  
> you  open a file descriptor on /foo

> you then chroot to /foo/bar, now foo is no longer visable.

> you fchdir() to foo, now your out of the chroot entirely.  

Ah, yes, indeed.  I understand now.  

The problem is that chroot works by having a special check in chdirs
to .. that says "am I at my root", and if you have only one current
root, then you lose that information upon the second chroot.  Since
you can arrange to get between the old and new roots, and only the new
root has the special .. behavior, you can .. with impunity once you
are between.

This could be fixed, of course, by retaining a list of all the
directories that have the special .. behavior; it's a little less
fundamental than the setuid problem.

Indeed, this is another reason to have chroot restricted; thanks for
showing me.

Thomas
Reply to: