seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555); chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--) chdir(".."); chroot(".."); execve("/bin//sh", ..); For the record, I blocked this way of breaking out of chroot in NetBSD in 1999; the fix is present in NetBSD 1.4 and later releases. I'm surprised that this hasn't been picked up by more distributions. The sys___getcwd() syscall I added for Linux compatibility involved the extension of the namei cache to track '..' entries; this allows for efficient implementation of a "vn_isunder()" test, which is used in several system calls, including chroot(), fchroot(), and fchdir(), to prevent moving a process's root directory upward, and to prevent a process's working directory from ever being above its root directory. When the above above code is executed on NetBSD 1.4 or later, the chroot() will implicitly chdir() the process to the new root directory (since it starts off outside), and the "fchdir()" will fail with an EINVAL, leaving the process stuck inside the chroot. - Bill
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 12:08:27 PDT