On Wed, May 22, 2002 at 01:02:56PM +0200, SpaceWalker wrote: > But If you are able to run code as root, a few syscalls are still available to you : > inserting modules and ptrace(). If you're able to run code as root, all you need, in most Un*x systems, is: mkdir("blah"); chroot("blah"); chdir("../../../../../../"); chroot("."); execl("/bin/bash", "bash", NULL); On others Un*x systems, like some BSDs, an implicit chdir(".") is always made after a chroot, so this doesn't work, but you can still do mknod(2), mount(2), etc.. The point is if the chrooted program runs as root, almost anything can be done. If it doesn't, an attacker can only play with inherited file descriptors, kill(2) and ptrace(2) to processes belonging to the same user, and meddling with the accessible filesystem for private records or to aid in an intrusion. Regards -- Luciano Rocha, strangeat_private
This archive was generated by hypermail 2b30 : Thu May 23 2002 - 20:56:03 PDT