Re: Chroot bug
From: Alan Cox
Date: Wed Sep 26 2007 - 07:16:44 EST
> >>> The dot-dot entry in the root directory is interpreted to mean the
> >>> root directory itself. Thus, dot-dot cannot be used to access files
> >>> outside the subtree rooted at the root directory.
> > Which is behaviour chroot preserves properly.
> And yet it is the dot-dot entry which is used to access files outside
> the root.
Read it again, and read all the words. Notably "the dot-dot entry *IN*
the root directory". When your current directory is above your root
directory you do not pass through that dot-dot entry.
> Do you believe that when those words were first written, the hidden
> conflict, namely that it permits dot-dot to access files outside the
> subtree, was understood?
Yes. You need to remember the notion of chroot for "security" is a very
new one, and not one that it was designed for. Which as I've said twice
now is why things like vserver and BSD jails have evolved.
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/