Re: sys_chroot+sys_fchdir Fix

From: David Newall
Date: Wed Sep 19 2007 - 18:24:37 EST

Next message: Andrew Morton: "Re: [patch 1/7] Extended crashkernel command line"
Previous message: Andrew Morton: "Re: [PATCH] mm: use pagevec to rotate reclaimable page"
In reply to: Alan Cox: "Re: sys_chroot+sys_fchdir Fix"
Next in thread: Phillip Susi: "Re: sys_chroot+sys_fchdir Fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Normal users cannot use chroot() themselves so they can't use chroot to
get back out

I think Bill is right, that this is to fix a method that non-root processes can use to escape their chroot. The exploit, which is documented in chroot(2)*, is to chdir("..") your way out. Who'd have thought it? Only root can do that, but even that seems wrong. Chroot should be chroot and that should be the end of it.

It looks to me like Miloslav has found a bug, although I suspect there's a simpler solution because non-root is already prevented from escaping this way.

David

* In particular, the superuser can escape from a ‘chroot jail’ by doing ‘mkdir foo; chroot foo; cd ..’.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Andrew Morton: "Re: [patch 1/7] Extended crashkernel command line"
Previous message: Andrew Morton: "Re: [PATCH] mm: use pagevec to rotate reclaimable page"
In reply to: Alan Cox: "Re: sys_chroot+sys_fchdir Fix"
Next in thread: Phillip Susi: "Re: sys_chroot+sys_fchdir Fix"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]