| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Pine.LNX.4.64.0709251903480.945@fbirervta.pbzchgretzou.qr>
Date: Tue, 25 Sep 2007 19:05:06 +0200 (CEST)
From: Jan Engelhardt <jengelh@...putergmbh.de>
To: Miloslav Semler <majkls@...pere.com>
cc: serge@...lyn.com, davidsen@....com, philipp@...ek.priv.at,
7eggert@....de, alan@...rguk.ukuu.org.uk,
linux-kernel@...r.kernel.org
Subject: Re: Chroot bug
On Sep 25 2007 19:00, Miloslav Semler wrote:
>> > This does not help. Let's try:
>> > chroot somewhere
>> > mkdir foo
>> > fd = open /
>> > chroot foo
>> >
>>
>> ('fd' implicitly closed and chdir to /foo)
>>
> Really? Try it. I am sure, that this works. You can create directory in chroot
> and break chroot by this. fd is not closed, because linux doesn't close
> descriptors by chroot syscall. this can be done every time if you have
> CAP_SYS_CHROOT.
In case you have not followed my earlier email, I'll repost:
|>> So what? Just do this: chdir into the root after chroot.
|>
|> I don't think so. His exploit just got me all the way out of a
|> chroot within a chroot within a chroot, inclusive of lots of
|> chdirs.
|>
|
|Close all fds that point to directories outside the root ;-)
Perhaps that was formulated a bit sloppy. It of course means
"On chroot(2), implicitly close all FDs that point outside."
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists