seteuid(0); a = open("..", O_RDONLY); mkdir("adfa", 555);
chroot("adfa"); fchdir(a); for(cnt = 100; cnt; cnt--)
chdir("..");
chroot(".."); execve("/bin//sh", ..);
For the record, I blocked this way of breaking out of chroot in NetBSD
in 1999; the fix is present in NetBSD 1.4 and later releases. I'm
surprised that this hasn't been picked up by more distributions.
The sys___getcwd() syscall I added for Linux compatibility involved
the extension of the namei cache to track '..' entries; this allows
for efficient implementation of a "vn_isunder()" test, which is used
in several system calls, including chroot(), fchroot(), and fchdir(),
to prevent moving a process's root directory upward, and to prevent a
process's working directory from ever being above its root directory.
When the above above code is executed on NetBSD 1.4 or later, the
chroot() will implicitly chdir() the process to the new root directory
(since it starts off outside), and the "fchdir()" will fail with an
EINVAL, leaving the process stuck inside the chroot.
- Bill
This archive was generated by hypermail 2b30 : Wed Apr 18 2001 - 12:08:27 PDT