OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: chroot() and capabilities
From: Emmanuel Galanos (egalanoscse.unsw.edu.au)
Date: Wed Aug 09 2000 - 08:15:49 CDT

On Wed, Aug 09, 2000 at 11:48:09AM +0100, Chris Evans wrote:
>
> Hi,
>
> It is well known that a root process can escape a chroot() jail easily.
>
> What, however, about individual capabilities? I'd like to start a
> discussion on what capabilities allow a chroot() jail to be escaped, and
> why.

Quick list..

CAP_CHOWN || CAP_DAC_OVERRIDE:
        req: fs block device within chroot (for files outside).
        why: Start playing with underlying fs binaries outside chroot.

CAP_SETUID && CAP_SETGID:
        req: pid of proc outside chroot
        why: as above.
        why: should be able to ptrace

CAP_SYS_PTRACE || CAP_SYS_MODULE || CAP_SYS_RAWIO:
        game over.

CAP_SYS_CHROOT:
        req: ability to create dir
        why: classic chroot escape

CAP_FOWNER || CAP_CHOWN || CAP_FSETID || CAP_SETGID || CAP_SETUID:
        req: files used by a process outside or capable of getting outside
             chroot
        why: possibly compromise the other process by changing files.

CAP_SYS_ADMIN:
        why: mount, mknod, + many many more.

CAP_KILL:
        req: a crappy program that could be compromised by data sent in
            RT sig ()
        why: can send sigs! (ok this one is lame)

CAP_IPC_OWNER:
        req: trust relationship on ipc channel
        why: can send arbitrary ipc messages to dumb program.

This list is probably missing some ways out & wrong as well.

emmanuel