Peter Samuelson wrote:
>
> [I wrote]
> > > mkdir("foo")
> > > chroot("foo")
>
> [H. Peter Anvin]
> > BUG: you *MUST* chdir() into the chroot jail before it does you any
> > good at all!
>
> No, it wasn't a bug! It was a demonstration. The above code is
> executed not by the application but by the *attacker* who has managed
> to 0wn the existing jail.
>
> Doing the additional chroot("foo") without already being in "foo"
> basically replaces the chroot jail you *were* in, so you are now out.
>
> The sequence I posted is just the simplest un-chroot procedure I know,
> to explain why chroot cannot sandbox the superuser.
>
Right. Gotcha.
-- <hpa@transmeta.com> at work, <hpa@zytor.com> in private! "Unix gives you enough rope to shoot yourself in the foot." http://www.zytor.com/~hpa/puzzle.txt - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 23 2000 - 21:00:13 EST