Peter Samuelson <peter@cadcamlab.org> writes:
> Two easy "get out of jail free" cards. There are other, more complex
> exploits. You have added one more. They all require root privileges.
Unless I'm missing something, not all of them do. I haven't checked this
or anything, but it seems to me that all you need is a cooperating
process outside the jail, that opens some world-readable directory and
sends it to the exploit process inside the jail, which fchdir()s to
it. Of course you *do* need an AF_UNIX socket inside the jail for this,
too, so it is probably a quite unlikely attack; but if, for instance,
you reused an outside-the-jail uid *inside* the jail, and the jail had
places writable by this user... bing, no root necessary.
-- `The phrase `causes storage to be reserved', doesn't mean that it causes storage to be reserved. This is a fundamental misunderstanding of Standardeze.' --- Mike Stump on the GCC list - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Nov 23 2000 - 21:00:14 EST