From: "H. Peter Anvin" <hpa@transmeta.com>
To: Peter Samuelson <peter@cadcamlab.org>
Cc: "H. Peter Anvin" <hpa@zytor.com>, linux-kernel@vger.kernel.org
Subject: Re: Linux 2.2.18pre21
Date: Fri, 17 Nov 2000 09:35:37 -0800 [thread overview]
Message-ID: <3A156C69.FB651C57@transmeta.com> (raw)
In-Reply-To: <E13u4XD-0001oe-00@the-village.bc.nu> <20001116171618.A25545@athlon.random> <20001116115249.A8115@wirex.com> <20001117003000.B2918@wire.cadcamlab.org> <8v2js0$qpr$1@cesium.transmeta.com> <20001117052226.C2918@wire.cadcamlab.org>
Peter Samuelson wrote:
>
> [I wrote]
> > > mkdir("foo")
> > > chroot("foo")
>
> [H. Peter Anvin]
> > BUG: you *MUST* chdir() into the chroot jail before it does you any
> > good at all!
>
> No, it wasn't a bug! It was a demonstration. The above code is
> executed not by the application but by the *attacker* who has managed
> to 0wn the existing jail.
>
> Doing the additional chroot("foo") without already being in "foo"
> basically replaces the chroot jail you *were* in, so you are now out.
>
> The sequence I posted is just the simplest un-chroot procedure I know,
> to explain why chroot cannot sandbox the superuser.
>
Right. Gotcha.
--
<hpa@transmeta.com> at work, <hpa@zytor.com> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
next prev parent reply other threads:[~2000-11-17 18:06 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2000-11-10 3:07 Linux 2.2.18pre21 Alan Cox
2000-11-10 3:44 ` David S. Miller
2000-11-10 11:35 ` Benjamin Herrenschmidt
2000-11-10 15:42 ` Tom Rini
2000-11-10 15:34 ` David S. Miller
2000-11-10 10:59 ` Arnaud S . Launay
2000-11-10 10:52 ` David S. Miller
2000-11-16 14:07 ` Matthias Andree
2000-11-16 16:16 ` Andrea Arcangeli
2000-11-16 19:52 ` jesse
2000-11-16 20:02 ` chroot [Was: Re: Linux 2.2.18pre21] Kurt Roeckx
2000-11-16 21:40 ` Linux 2.2.18pre21 Alan Cox
2000-11-18 10:07 ` Rogier Wolff
2000-11-18 17:32 ` kuznet
2000-11-18 17:34 ` Rogier Wolff
2000-11-18 17:47 ` kuznet
2000-11-18 17:51 ` Rogier Wolff
2000-11-16 22:56 ` Matthias Andree
2000-11-17 6:30 ` Peter Samuelson
2000-11-17 6:40 ` H. Peter Anvin
2000-11-17 11:22 ` Peter Samuelson
2000-11-17 17:35 ` H. Peter Anvin [this message]
2000-11-17 11:34 ` Matthias Andree
2000-11-17 19:23 ` jesse
2000-11-18 20:44 ` Pavel Machek
2000-11-18 1:38 ` Nix
2000-11-21 4:19 ` Peter Samuelson
-- strict thread matches above, loose matches on Subject: below --
2000-11-10 9:28 willy tarreau
2000-11-10 9:44 ` Matti Aarnio
2000-11-10 9:57 ` Constantine Gavrilov
2000-11-10 10:14 ` Matti Aarnio
2000-11-10 10:22 ` Constantine Gavrilov
2000-11-10 10:51 ` Matti Aarnio
2000-11-10 19:11 ` Thomas Davis
2000-11-10 10:18 ` Constantine Gavrilov
2000-11-10 10:40 willy tarreau
2000-11-10 10:49 willy tarreau
2000-11-10 11:21 willy tarreau
2000-11-13 7:00 willy tarreau
2000-11-13 9:47 willy tarreau
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3A156C69.FB651C57@transmeta.com \
--to=hpa@transmeta.com \
--cc=hpa@zytor.com \
--cc=linux-kernel@vger.kernel.org \
--cc=peter@cadcamlab.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.