Peter Samuelson wrote:
>
> [I wrote]
> > > mkdir("foo")
> > > chroot("foo")
>
> [H. Peter Anvin]
> > BUG: you *MUST* chdir() into the chroot jail before it does you any
> > good at all!
>
> No, it wasn't a bug! It was a demonstration. The above code is
> executed not by the application but by the *attacker* who has managed
> to 0wn the existing jail.
>
> Doing the additional chroot("foo") without already being in "foo"
> basically replaces the chroot jail you *were* in, so you are now out.
>
> The sequence I posted is just the simplest un-chroot procedure I know,
> to explain why chroot cannot sandbox the superuser.
>
Right. Gotcha.
--
<[EMAIL PROTECTED]> at work, <[EMAIL PROTECTED]> in private!
"Unix gives you enough rope to shoot yourself in the foot."
http://www.zytor.com/~hpa/puzzle.txt
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [EMAIL PROTECTED]
Please read the FAQ at http://www.tux.org/lkml/
