chrisferret.lmh.ox.ac.uk

• Next message: Emmanuel Galanos: "Re: chroot() and capabilities"
• Previous message: Sean Hunter: "safe_env.c latest version"
• Next in thread: James Ponder: "Re: chroot() and capabilities"
• Next in thread: Emmanuel Galanos: "Re: chroot() and capabilities"
• Maybe reply: Chris Evans: "Re: chroot() and capabilities"
• Reply: James Ponder: "Re: chroot() and capabilities"
• Reply: Jim Breton: "Re: chroot() and capabilities"
• Reply: Wichert Akkerman: "Re: chroot() and capabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 9 Aug 2000, Ingo Luetkebohle wrote:

> On Wed, Aug 09, 2000 at 11:48:09AM +0100, Chris Evans wrote:
> > It is well known that a root process can escape a chroot() jail easily.
>
> Where can I find more information about that? I knew that it was
> possible, but never *how* and if its OS specific.

I don't know of a generic resource.

But when you start thinking about it, many ways emerge. I'll give some
examples. Many are not OS specific

- Use mknod() to create a raw disk device. Write to that to modify
anything you want outside the chroot().

- A carelessly left hard-link

- ptrace() a process outside the chroot() jail

- Mount /proc; directly modify kernel memory. Or do the same after making
/dev/mem

- Directly access hardware with iopl() and do what you want

etc.

Chris

• Next message: Emmanuel Galanos: "Re: chroot() and capabilities"
• Previous message: Sean Hunter: "safe_env.c latest version"
• Next in thread: James Ponder: "Re: chroot() and capabilities"
• Next in thread: Emmanuel Galanos: "Re: chroot() and capabilities"
• Maybe reply: Chris Evans: "Re: chroot() and capabilities"
• Reply: James Ponder: "Re: chroot() and capabilities"
• Reply: Jim Breton: "Re: chroot() and capabilities"
• Reply: Wichert Akkerman: "Re: chroot() and capabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]