Posted by: Administrator
on January 10, 2007 06:49 AM
Hi,
The notion that nobody "escape" a chroot'ed enviconment (i.e. access files outside the chroot directory) is false - if a root process inside a chroot environment does "mkdir x; chroot x" then "multiple chdir<nobr> <wbr></nobr>.." it will eventually get out of the jail.
I use shell syntax above but actually you need to do all this in one process so you'll need a statically compiled executable to test this.
This happens because the "chroot x" will change the process's root to a directory which is actually under its CURRENT directory, and since all the "chdir<nobr> <wbr></nobr>.." syscalls after that will not encounter the process's chroot they will succeed all the way up to the real root. All that is left then is to "chroot<nobr> <wbr></nobr>." and run a shell.
I though I should point this out because you say in paragraph 5 (with the BIND break-in example) that a chroot'ed BIND process will save the day from a root exploit in the BIND program.
Besides that - great article and thanks very much for putting it up.
Learn about Linux
Download Linux
Get Linux help
chroot "jail" can be escaped by root
Posted by: Administrator on January 10, 2007 06:49 AMThe notion that nobody "escape" a chroot'ed enviconment (i.e. access files outside the chroot directory) is false - if a root process inside a chroot environment does "mkdir x; chroot x" then "multiple chdir<nobr> <wbr></nobr>.." it will eventually get out of the jail.
I use shell syntax above but actually you need to do all this in one process so you'll need a statically compiled executable to test this.
This happens because the "chroot x" will change the process's root to a directory which is actually under its CURRENT directory, and since all the "chdir<nobr> <wbr></nobr>.." syscalls after that will not encounter the process's chroot they will succeed all the way up to the real root. All that is left then is to "chroot<nobr> <wbr></nobr>." and run a shell.
I though I should point this out because you say in paragraph 5 (with the BIND break-in example) that a chroot'ed BIND process will save the day from a root exploit in the BIND program.
Besides that - great article and thanks very much for putting it up.
#