Re: access to proc filesystem from chrooted process

Nicholas Miell (unknown@riverstyx.net)
Fri, 28 May 1999 14:23:32 -0700 (PDT)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Bernhard Rosenkraenzer: "Re: Apache/kernel problem?"
Previous message: Nicholas Miell: "Re: Minor bug in lib/string.c"

Trivially, from what I can test. I just chrooted myself into /tmp/test,
copied in mount, all the libraries associated with mount, and bash (so I
could run programs). Then 'mount none -t proc /proc' gave me proc.
However, on the 2.2.x kernel that I'm using, the cwd and root directories
are actually symlinks, not like before, so I can't really do much in
there.

2.0.35
lrwx------ 1 root root 64 May 28 21:12 cwd -> [0801]:2

2.2.9
lrwx------ 1 root root 0 May 28 14:21 cwd -> /

In 2.0.35 I can trivially break out of a chroot jail via proc. 2.2.x, I
think it's impossible.

Just thought I'd point out that if you've got root access, and you did it
via a stack overflow or what have you, then you can easily modify the code
you push onto the stack to create a dummy /etc/fstab file.

---
tani hosokawa
river styx internet


On Wed, 26 May 1999, Riley Williams wrote:

> Hi whoever.
> 
> On Wed, 26 May 1999, Nobody exists wrote:
> 
>  >> My analysis states that without the /etc/fstab file, no further
>  >> filesystems can be mounted, so even if the mount command is present,
>  >> the user will not be able to mount any further copies of the proc
>  >> filesystem (or any other filesystem) inside the chroot trap, and thus
>  >> that such a non-root user has no means to access anything in the proc
>  >> filesystem.
> 
>  > Why not mount proc before the chroot?  You could do this at
>  > system bootup, or just before the chroot, and it would seem to
>  > solve your problems...
> 
> *I* do *NOT* want /proc available within the chroot - that's the whole
> point of my question!!!
> 
> The claim made was that a hacker who hacks into a chroot trap can
> mount proc and use it to get out of the chroot trap, and I can't see
> how such can be done, hence the question...
> 
> Best wishes from Riley.
> 
> +----------------------------------------------------------------------+
> | There is something frustrating about the quality and speed of Linux  |
> | development, ie., the quality is too high and the speed is too high, |
> | in other words, I can implement this XXXX feature, but I bet someone |
> | else has already done so and is just about to release their patch.   |
> +----------------------------------------------------------------------+
>  * ftp://ftp.MemAlpha.cx/pub/rhw/Linux
>  * http://www.MemAlpha.cx/kernel.versions.html
> 
> 
> -
> To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
> the body of a message to majordomo@vger.rutgers.edu
> Please read the FAQ at http://www.tux.org/lkml/
> 


-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Bernhard Rosenkraenzer: "Re: Apache/kernel problem?"
Previous message: Nicholas Miell: "Re: Minor bug in lib/string.c"