From: "Serge E. Hallyn" <serge@hallyn.com>
To: Miloslav Semler <majkls@prepere.com>
Cc: Jan Engelhardt <jengelh@computergmbh.de>,
serge@hallyn.com, davidsen@tmr.com, philipp@marek.priv.at,
7eggert@gmx.de, alan@lxorguk.ukuu.org.uk,
linux-kernel@vger.kernel.org
Subject: Re: Chroot bug
Date: Tue, 25 Sep 2007 11:53:41 -0500 [thread overview]
Message-ID: <20070925165341.GA12422@vino.hallyn.com> (raw)
In-Reply-To: <46F9351D.8020906@prepere.com>
Quoting Miloslav Semler (majkls@prepere.com):
>
>>>> So what? Just do this: chdir into the root after chroot.
>>>>
>>> I don't think so. His exploit just got me all the way out of a chroot
>>> within a
>>> chroot within a chroot, inclusive of lots of chdirs.
>>>
>>
>> Close all fds that point to directories outside the root ;-)
>>
>>
> This does not help. Let's try:
> chroot somewhere
> mkdir foo
> fd = open /
> chroot foo
> fchdir fd
> chdir ".."
> ....
> chdir ".."
> chroot "."
> so you are in root.
>
Yes, to understand why that doesn't work it helps to understand why
pivot_root *does* work. Pivot_root takes the new_root, which must be
a mount, and detaches it from it's mountpoint. So it's not that we
try to intercept a chdir(root_dir/..), but rather we remove root_dir
from it's parent dir so that root_dir/.. must always return root_dir.
I'm sorry but I really don't see where hacking chroot to try and
detect and prevent chroot escapes is going to be acceptable to
anyone so long as pivot_root does the trick anyway. If you want
portable, then write a little linux-only safe_chroot() library call
which does unshare();pivot_root() on linux and just chroot on a
system that does try to stop chroot escapes.
Besides as others have alluded to, if you have root privs, you can
always mknod /dev/hda1, mount that under /mnt, and then chroot or
pivot_root to there.
The containers work will, in fact, be intended to be a *safe*
jail. That'll happen through pivot_root, capability masking,
perhaps device namespaces, etc. But a secure container is still
a ways off.
-serge
next prev parent reply other threads:[~2007-09-25 16:53 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <952DN-83o-31@gated-at.bofh.it>
[not found] ` <954cl-29C-3@gated-at.bofh.it>
[not found] ` <95ctn-74b-15@gated-at.bofh.it>
[not found] ` <95cMH-7um-19@gated-at.bofh.it>
[not found] ` <95gdA-4OZ-7@gated-at.bofh.it>
2007-09-20 11:13 ` sys_chroot+sys_fchdir Fix Bodo Eggert
2007-09-20 11:59 ` Philipp Marek
2007-09-20 12:52 ` majkls
2007-09-20 16:06 ` David Newall
2007-09-20 16:17 ` Philipp Marek
2007-09-20 18:02 ` David Newall
2007-09-20 20:53 ` Bill Davidsen
2007-09-21 8:29 ` David Newall
2007-09-24 21:32 ` Serge E. Hallyn
2007-09-24 22:04 ` David Newall
2007-09-24 23:00 ` Serge E. Hallyn
2007-09-25 7:45 ` David Newall
2007-09-25 11:49 ` Serge E. Hallyn
2007-09-25 13:58 ` David Newall
2007-09-25 15:10 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) David Newall
2007-09-25 15:20 ` Jan Engelhardt
2007-09-25 15:39 ` Chroot bug Miloslav Semler
2007-09-25 15:41 ` David Newall
2007-09-25 15:48 ` Jan Engelhardt
2007-09-25 16:19 ` Miloslav Semler
2007-09-25 16:52 ` Jan Engelhardt
2007-09-25 17:00 ` Miloslav Semler
2007-09-25 17:05 ` Jan Engelhardt
2007-09-25 17:09 ` Miloslav Semler
2007-09-25 17:09 ` Al Viro
2007-09-25 17:19 ` Miloslav Semler
2007-09-25 16:53 ` Serge E. Hallyn [this message]
2007-09-25 20:51 ` David Newall
2007-09-25 15:30 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) Alan Cox
2007-09-25 15:35 ` Chroot bug David Newall
2007-09-25 15:48 ` Alan Cox
2007-09-25 15:47 ` Jan Engelhardt
2007-09-25 23:50 ` David Newall
2007-09-26 0:18 ` Alan Cox
2007-09-26 10:24 ` David Newall
2007-09-26 10:47 ` Alan Cox
2007-09-26 11:06 ` David Newall
2007-09-26 11:20 ` Alan Cox
[not found] ` <46FA41B4.9040104@prepere.com>
[not found] ` <20070926123522.54ffd56f@the-village.bc.nu>
2007-09-26 11:34 ` Miloslav Semler
2007-09-26 14:09 ` Alan Cox
2007-09-26 13:13 ` Bongani Hlope
2007-09-26 0:55 ` Adrian Bunk
2007-09-26 5:21 ` Kyle Moffett
2007-09-26 5:25 ` Willy Tarreau
2007-09-26 10:27 ` David Newall
2007-09-26 10:45 ` Olivier Galibert
2007-09-26 11:13 ` David Newall
2007-09-26 13:18 ` linux-os (Dick Johnson)
2007-09-26 15:02 ` Olivier Galibert
2007-09-26 12:54 ` Kyle Moffett
2007-09-26 13:11 ` Miloslav Semler
2007-09-26 13:42 ` Al Viro
2007-09-26 14:51 ` Miloslav Semler
2007-09-26 14:02 ` Kyle Moffett
2007-09-26 15:01 ` Miloslav Semler
2007-09-27 13:49 ` Jiri Kosina
2007-09-25 16:33 ` Arjan van de Ven
2007-09-25 15:32 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) Adrian Bunk
2007-09-25 15:43 ` Chroot bug Miloslav Semler
2007-09-25 16:02 ` Adrian Bunk
2007-09-26 19:23 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) Bodo Eggert
2007-09-24 23:02 ` sys_chroot+sys_fchdir Fix Serge E. Hallyn
[not found] ` <95UE2-1oR-19@gated-at.bofh.it>
[not found] ` <95V72-2ly-17@gated-at.bofh.it>
[not found] ` <97pG8-3B5-47@gated-at.bofh.it>
[not found] ` <97sX2-p1-3@gated-at.bofh.it>
2007-09-26 9:38 ` Nick Craig-Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20070925165341.GA12422@vino.hallyn.com \
--to=serge@hallyn.com \
--cc=7eggert@gmx.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=davidsen@tmr.com \
--cc=jengelh@computergmbh.de \
--cc=linux-kernel@vger.kernel.org \
--cc=majkls@prepere.com \
--cc=philipp@marek.priv.at \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.