Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Thu, 16 Nov 2000 15:23:58 -0500 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Thu, 16 Nov 2000 15:23:48 -0500 Received: from wirex.com ([208.161.110.91]:12548 "HELO mail.wirex.com") by vger.kernel.org with SMTP id ; Thu, 16 Nov 2000 15:23:38 -0500 Date: Thu, 16 Nov 2000 11:52:49 -0800 From: jesse To: linux-kernel@vger.kernel.org Subject: Re: Linux 2.2.18pre21 Message-ID: <20001116115249.A8115@wirex.com> Mail-Followup-To: linux-kernel@vger.kernel.org In-Reply-To: <20001116150704.A883@emma1.emma.line.org> <20001116171618.A25545@athlon.random> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.2.5i In-Reply-To: <20001116171618.A25545@athlon.random>; from andrea@suse.de on Thu, Nov 16, 2000 at 05:16:18PM +0100 X-WebTV-Stationery: Standard; BGColor=black; TextColor=black Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 16, 2000 at 05:16:18PM +0100, Andrea Arcangeli wrote: > On Thu, Nov 16, 2000 at 03:07:04PM +0100, Matthias Andree wrote: > > It shows a program that saves the cwd -- open(".",...) in an open file, > > then chroots [..] > > This is known behaviour (I know Alan knows about it too), solution is to close > open directories filedescriptors before chrooting. > > Everything that happens before chroot(2) is trusted, so it's secure to rely > on it to close directories first. > > If this is not well documented and people doesn't know about it and so they > writes unsafe code that's another issue... But the problem is because you can call chroot when you're already chrooted. So what happens is-- 1. Your server closes all open directory file descriptors and chroots. 2. Someone manages to run some exploit code in your process space which-- 1. Makes a directory inside the current chroot jail. 2. Acquires a file descriptor for the root of the current chroot jail. 3. Chroots to the directory that was just created. 4. Uses this exploit to pull itself out of the second chroot jail, which also breaks it out of the original chroot jail as well. It's simply not good enough to close all directory file descriptors before chrooting. If calling chroot once you're already in a chroot jail was disallowed, it would stop this attack. -Jesse - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org Please read the FAQ at http://www.tux.org/lkml/