| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <46F940B9.8060006@prepere.com>
Date: Tue, 25 Sep 2007 19:09:13 +0200
From: Miloslav Semler <majkls@...pere.com>
To: Jan Engelhardt <jengelh@...putergmbh.de>
CC: serge@...lyn.com, davidsen@....com, philipp@...ek.priv.at,
7eggert@....de, alan@...rguk.ukuu.org.uk,
linux-kernel@...r.kernel.org
Subject: Re: Chroot bug
Jan Engelhardt napsal(a):
> On Sep 25 2007 19:00, Miloslav Semler wrote:
>
>>>> This does not help. Let's try:
>>>> chroot somewhere
>>>> mkdir foo
>>>> fd = open /
>>>> chroot foo
>>>>
>>>>
>>> ('fd' implicitly closed and chdir to /foo)
>>>
>>>
>> Really? Try it. I am sure, that this works. You can create directory in chroot
>> and break chroot by this. fd is not closed, because linux doesn't close
>> descriptors by chroot syscall. this can be done every time if you have
>> CAP_SYS_CHROOT.
>>
>
> In case you have not followed my earlier email, I'll repost:
>
> |>> So what? Just do this: chdir into the root after chroot.
> |>
> |> I don't think so. His exploit just got me all the way out of a
> |> chroot within a chroot within a chroot, inclusive of lots of
> |> chdirs.
> |>
> |
> |Close all fds that point to directories outside the root ;-)
>
> Perhaps that was formulated a bit sloppy. It of course means
> "On chroot(2), implicitly close all FDs that point outside."
>
yes, but I can use fds from chroot ;-) ....
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists