[prev in list] [next in list] [prev in thread] [next in thread] 

List:       freebsd-hackers
Subject:    Re: Is it possible to exit the chroot(2) environment?
From:       Daniel Ebdrup Jensen <debdrup () FreeBSD ! org>
Date:       2020-09-28 9:50:14
Message-ID: 20200928095014.ohhug4amcao4747x () nerd-thinkpad ! local
[Download RAW message or body]


On Sun, Sep 27, 2020 at 03:24:05PM -0700, Craig Leres wrote:
>Don't forget about fchdir(), I've used it (in non-chroot()) programs 
>to implement pushd/popd functionality in a recursive function.
>
>		Craig
>_______________________________________________
>freebsd-hackers@freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"

Hi folks,

In reading this thread, I was reminded that the jail paper from SANE 2000 [1]
documents both ".." and fchdir() as well-known methods for escaping, with the 
former being used to escape anonymous ftp access in the ftp daemon. Similarily, 
I also have vague memories of cd / being used to escape chroot.

The section also mentions that new code was added to detect and thwart these 
escapes, so perhaps there is a commit log that would be interesting to look at?

Going back in history a bit, from the 'Special handling for ".."' block in 
ufs_nami.c in 4.1cBSD [2], it does seem like chroot wasn't even meant to prevent 
escaping in V7, and was noticed as a result of redoing namei() for FFS, and 
subsequently fixed - so it may be that other Unix-likes inherited different 
logic than the BSDs?


[1]: http://www.sane.nl/events/sane2000/papers/kamp.pdf
[2]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/a/sys/sys/ufs_nami.c

["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]