From: Martin Josefsson (gandalf_at_wlug.westbo.se)
Date: Thu 24 Jan 2002 - 12:10:04 GMT
On Thu, 24 Jan 2002, Nick Craig-Wood wrote:
> > > This code can break out of an chroot in Linux kernel
> > > 2.4.18-pre3-ac2:
>
> This surely must be a kernel bug?
[snip]
> > > chdir("../bin");
>
> So why on earth should this work? I can see why it does! Surely that
> is the bug we should be working on? I expect there is some
> implication in speed terms in checking cwd vs root, but it need only
> happen if root != "/" && root != cwd surely which won't slow the rest
> of the kernel down.
If I understand things correctly this is how most unices work. They forget
the old root when chroot is called and if we have a reference to a
directory above the root there's nothing we can't do.
> [snip]
> > Someone told me the forcing the chdir right in the chroot system call
> > was breaking posix compatibility and it was bad. There is apparently
> > a big thread on linux kernel mailing list about this. I have not seen it
> > but I was told that the end argument was that fixing chroot was a big
> > can of worm...
>
> Here is part of a recent thread...
>
> http://marc.theaimsgroup.com/?l=linux-kernel&m=97440433705830&w=2
>
> And a comment from Alan Cox who is saying that you can't allow chroot
> in a chroot if you want to be secure.
>
> http://marc.theaimsgroup.com/?l=linux-kernel&m=97441079623050&w=2
Disallowing chroot alltogether if run in an chroot or limiting it like
FreeBSD does is probably a good idea.
http://www.FreeBSD.org/cgi/man.cgi?query=chroot&sektion=2&apropos=0&manpath=FreeBSD+4.0-RELEASE
The grsecurity patch has some code to detect if we are calling certain
systemcalls inside a chroot.
Maybe a integration of various parts of grsecurity into vserver would be a
good idea? At least the various chroot stuff.
/Martin
Never argue with an idiot. They drag you down to their level, then beat you with experience.