Is it possible to exit the chroot(2) environment?
Daniel Ebdrup Jensen
debdrup at FreeBSD.org
Mon Sep 28 09:50:17 UTC 2020
On Sun, Sep 27, 2020 at 03:24:05PM -0700, Craig Leres wrote:
>Don't forget about fchdir(), I've used it (in non-chroot()) programs
>to implement pushd/popd functionality in a recursive function.
>
> Craig
>_______________________________________________
>freebsd-hackers at freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"
Hi folks,
In reading this thread, I was reminded that the jail paper from SANE 2000 [1]
documents both ".." and fchdir() as well-known methods for escaping, with the
former being used to escape anonymous ftp access in the ftp daemon. Similarily,
I also have vague memories of cd / being used to escape chroot.
The section also mentions that new code was added to detect and thwart these
escapes, so perhaps there is a commit log that would be interesting to look at?
Going back in history a bit, from the 'Special handling for ".."' block in
ufs_nami.c in 4.1cBSD [2], it does seem like chroot wasn't even meant to prevent
escaping in V7, and was noticed as a result of redoing namei() for FFS, and
subsequently fixed - so it may be that other Unix-likes inherited different
logic than the BSDs?
[1]: http://www.sane.nl/events/sane2000/papers/kamp.pdf
[2]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/a/sys/sys/ufs_nami.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20200928/8bce2cb8/attachment.sig>
More information about the freebsd-hackers
mailing list