On Thu, Mar 29, 2001 at 04:07:51PM +1000, Matthew Dalton wrote:
> Because root can break out of a chroot().
Yes, but _only_ root can break out of it, which is why it still has
it's uses.
If the chroot'ed code isn't running as root, and there's no suid programs
within the root, then there's no way out!
> It's not related to devices, like some seem to think... the method is
> even simpler:
>
> #define MY_JAIL_PATH "/whatever/you/want"
>
> chdir( MY_JAIL_PATH );
> chroot( MY_JAIL_PATH );
> /* process is now supposedly jailed */
> /* can we get out? sure.... we have the keys cause we're root.... */
> mkdir( MY_JAIL_PATH "/escape" ); /* did I mention I love ANSI C's
> string concatenation? */
> chroot( MY_JAIL_PATH "/escape" );
I'd say you like C's string concatenations just a little too much...
This should read :
mkdir( "/escape" );
chroot( "/escape" );
> /* let's go up a bit.... */
>
> chdir ("../../../../../../../../../.." ); /* should be plenty, if not
> we can just repeat it... */
> chroot ( "." );
chroot("../../../../../../"); will have the same result (well, it will
give you a different pwd, but thats all)
Scott.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
