[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: Is it possible to exit the chroot(2) environment?
From: Daniel Ebdrup Jensen <debdrup () FreeBSD ! org>
Date: 2020-09-28 9:50:14
Message-ID: 20200928095014.ohhug4amcao4747x () nerd-thinkpad ! local
[Download RAW message or body]
On Sun, Sep 27, 2020 at 03:24:05PM -0700, Craig Leres wrote:
>Don't forget about fchdir(), I've used it (in non-chroot()) programs
>to implement pushd/popd functionality in a recursive function.
>
> Craig
>_______________________________________________
>freebsd-hackers@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
Hi folks,
In reading this thread, I was reminded that the jail paper from SANE 2000 [1]
documents both ".." and fchdir() as well-known methods for escaping, with the
former being used to escape anonymous ftp access in the ftp daemon. Similarily,
I also have vague memories of cd / being used to escape chroot.
The section also mentions that new code was added to detect and thwart these
escapes, so perhaps there is a commit log that would be interesting to look at?
Going back in history a bit, from the 'Special handling for ".."' block in
ufs_nami.c in 4.1cBSD [2], it does seem like chroot wasn't even meant to prevent
escaping in V7, and was noticed as a result of redoing namei() for FFS, and
subsequently fixed - so it may be that other Unix-likes inherited different
logic than the BSDs?
[1]: http://www.sane.nl/events/sane2000/papers/kamp.pdf
[2]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/a/sys/sys/ufs_nami.c
["signature.asc" (application/pgp-signature)]
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic