lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <46F1A196.8060108@davidnewall.com>
Date:	Thu, 20 Sep 2007 07:54:22 +0930
From:	David Newall <david@...idnewall.com>
To:	Alan Cox <alan@...rguk.ukuu.org.uk>
CC:	Bill Davidsen <davidsen@....com>, majkls <majkls@...pere.com>,
	bunk@...tum.de, linux-kernel@...r.kernel.org
Subject: Re: sys_chroot+sys_fchdir Fix


> Normal users cannot use chroot() themselves so they can't use chroot to
> get back out

I think Bill is right, that this is to fix a method that non-root 
processes can use to escape their chroot. The exploit, which is 
documented in chroot(2)*, is to chdir("..") your way out. Who'd have 
thought it? Only root can do that, but even that seems wrong. Chroot 
should be chroot and that should be the end of it.

It looks to me like Miloslav has found a bug, although I suspect there's 
a simpler solution because non-root is already prevented from escaping 
this way.

David

* In particular, the superuser can escape from a ‘chroot jail’ by doing 
‘mkdir foo; chroot foo; cd ..’.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ