[ On Friday, July 13, 2001 at 23:02:52 (+0000), Jim Breton wrote: ]
> Subject: Re: i386 IO access and chroot()
>
> On Fri, Jul 13, 2001 at 06:50:11PM -0400, Greg A. Woods wrote:
> > If I'm not mistaken there are already some papers suggesting methods...
>
> Here is one:
>
> http://www.bpfh.net/simes/computing/chroot-break.html
>
> (Not saying whether this would or would not work in securelevel 2, but
> the page is very informative.)

No, that one won't work any more. The 2nd chroot() plus fchdir() trick
was blocked in NetBSD some time ago (1999/03/22, before 1.4 was branched
if I'm reading the CVS log correctly), just as it was fixed prior to
FreeBSD-4.x. From chroot(2):

     If the current working directory is not at or under the new root directo-
     ry, it is silently set to the new root directory. It should be noted
     that, on most other systems, chroot() has no effect on the process's cur-
     rent directory.

  HISTORY
     The chroot() function call appeared in 4.2BSD. Working directory han-
     dling was changed in NetBSD 1.4 to prevent one way a process could use a
     second chroot() call to a different directory to "escape" from the re-
     stricted subtree. The fchroot() function appeared in NetBSD 1.4.

That is quite an informative paper otherwise though! ;-)

-- 
							Greg A. Woods
+1 416 218-0098      VE3TCP      <gwoodsacm.org>     <woodsrobohack.ca>
Planix, Inc. <woodsplanix.com>;   Secrets of the Weird <woodsweird.com>

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]