Re: Chroot breach in 2.1.100+

Jamie Lokier (lkd@tantalophile.demon.co.uk)
Tue, 22 Sep 1998 10:34:10 +0100


On Mon, Sep 21, 1998 at 11:24:10AM -0700, Marc Slemko wrote:
> You are missing the point below: you don't have to give the process a file
> handle outside the chroot()ed area, they can make one by rechrooting.

Not if they don't have CAP_SYS_CHROOT.
And you can protect against /dev and /proc misuse by disabling CAP_SYS_ADMIN.

-- Jamie

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/