From: edward_at_paradigm4.com.au
Date: Wed 06 Feb 2002 - 03:46:10 GMT
On Tuesday, 5 February 2002 at 13:51, Jacques Gelinas wrote:
> On Tue, 5 Feb 2002 18:52:49 -0500, edward_at_paradigm4.com.au wrote
> > /* chroot call - still leaves the cwd pointing outside vserver */
> > if(chroot(root_dir)) { perror("chroot failed"); exit(1) };
> > /* fix the cwd */
> > if(chdir("/") { perror("chdir failed"); exit(1) };
> > /* it should be safe at this point, right? */
>
> The problem is not the first chroot (the one used to "enter" the vserver). the
> problem is doing a second chroot while keeping the current directory behind.
It is my understanding that all the considered chroot exploits ( we are not talking about using
devices and mounting tricks as this capability is disabled in vserver ) are based on either
using file handle that was open before the first chroot, or the current directory from
before the first chroot.
Unless I'm missing something, the solution is simple - do not leave any file handles open
when you do chroot and do chdir("/") immediately after. Problem solved.
> Once the chroot is done, you are free to do chdir (".."). Since the test is perform
> only if the current directory == the process root directory, chdir("..") works and let
> you out of the original vserver root directory.
If you did chdir("/") after the first chroot, subsequent chroot and chdir("..") will not get you
out.
Ed
p.s. speaking of open file handles, what about stdin, stdout and stderr of a process before chroot
and after. How is that handled?