On Thu, Nov 16, 2000 at 05:16:18PM +0100, Andrea Arcangeli wrote:
> On Thu, Nov 16, 2000 at 03:07:04PM +0100, Matthias Andree wrote:
> > It shows a program that saves the cwd -- open(".",...) in an open file,
> > then chroots [..]
>
> This is known behaviour (I know Alan knows about it too), solution is to close
> open directories filedescriptors before chrooting.
>
> Everything that happens before chroot(2) is trusted, so it's secure to rely
> on it to close directories first.
>
> If this is not well documented and people doesn't know about it and so they
> writes unsafe code that's another issue...
But the problem is because you can call chroot when you're already chrooted.
So what happens is--
1. Your server closes all open directory file descriptors and chroots.
2. Someone manages to run some exploit code in your process space which--
1. Makes a directory inside the current chroot jail.
2. Acquires a file descriptor for the root of the current chroot jail.
3. Chroots to the directory that was just created.
4. Uses this exploit to pull itself out of the second chroot jail, which
also breaks it out of the original chroot jail as well.
It's simply not good enough to close all directory file descriptors before chrooting.
If calling chroot once you're already in a chroot jail was disallowed, it would stop
this attack.
-Jesse
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 23 2000 - 21:00:11 EST