kern.chroot_allow_open_directories
Stef Walter
stef-list at memberwebs.com
Thu Jul 19 20:57:27 UTC 2007
Pieter de Boer wrote:
>> Is this sysctl meant to prevent breaking out of a chroot? Or am I
>> missing the point of 'kern.chroot_allow_open_directories'?
>>
> If the sysctl was set to 0 at the moment chroot() was called, then the
> chroot() would have failed if the calling process had open directories
> (that's what the sysctl is meant to do, if I'm understanding the source
> right). If directories weren't open, the chroot() would work, but the
> process would obviously not be able to open directories outside the
> chroot after that, even if you'd set the sysctl to 1.
>
> As I see it, there's no problem here, but could be wrong; chroot() is
> tricky afaik..
Yes, it sure is.
However if a root process inside the chroot jail reset that sysctl,
after which it seems it could perform the usual break out thingy:
http://www.bpfh.net/simes/computing/chroot-break.html
I guess what I was wondering, is if FreeBSD is in fact immune to this
attack, and whether it makes sense to chroot superuser processes on FreeBSD.
Cheers,
Stef
More information about the freebsd-security
mailing list