Is it possible to exit the chroot(2) environment?

Daniel Ebdrup Jensen debdrup at FreeBSD.org
Mon Sep 28 09:50:17 UTC 2020


On Sun, Sep 27, 2020 at 03:24:05PM -0700, Craig Leres wrote:
>Don't forget about fchdir(), I've used it (in non-chroot()) programs 
>to implement pushd/popd functionality in a recursive function.
>
>		Craig
>_______________________________________________
>freebsd-hackers at freebsd.org mailing list
>https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
>To unsubscribe, send any mail to "freebsd-hackers-unsubscribe at freebsd.org"

Hi folks,

In reading this thread, I was reminded that the jail paper from SANE 2000 [1]
documents both ".." and fchdir() as well-known methods for escaping, with the 
former being used to escape anonymous ftp access in the ftp daemon. Similarily, 
I also have vague memories of cd / being used to escape chroot.

The section also mentions that new code was added to detect and thwart these 
escapes, so perhaps there is a commit log that would be interesting to look at?

Going back in history a bit, from the 'Special handling for ".."' block in 
ufs_nami.c in 4.1cBSD [2], it does seem like chroot wasn't even meant to prevent 
escaping in V7, and was noticed as a result of redoing namei() for FFS, and 
subsequently fixed - so it may be that other Unix-likes inherited different 
logic than the BSDs?


[1]: http://www.sane.nl/events/sane2000/papers/kamp.pdf
[2]: https://minnie.tuhs.org/cgi-bin/utree.pl?file=4.1cBSD/a/sys/sys/ufs_nami.c
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 618 bytes
Desc: not available
URL: <http://lists.freebsd.org/pipermail/freebsd-hackers/attachments/20200928/8bce2cb8/attachment.sig>


More information about the freebsd-hackers mailing list