Hello, on IRC two days ago we had a discussion about secure chroot() implementation. To make it short: it does not exist a such one.
The details: the problem of current chroot(2) is that this syscall is not stackable -- on every new chroot(2) invocation the dead zone will be set to a new value and the old one dropped. This fact allows to bypass the chroot by moving into an "free" directory with 'fchdir(fd)' and go from there with subsequent 'chdir("..")' to the real root. A vserver kernel-patch introduced a new chrootsafe() syscall which tries to prevent the 'fchdir()' part by forbidding open directories as chrootsafe() time. So, the 'fchdir(fd)' can not be executed. Sounds really good and secure on first glance, but kloo_ brought in the idea to transfer filedescriptors via SCM_RIGHTS -- and it works; see http://www.tu-chemnitz.de/~ensc/chrootescape.c (replace vc_chrootsafe() with your own implementation; the actual program uses an experimental syscall which was written by Herbert Poetzl to demonstrate the issue). In attack-mode, this program forks into two processes. The first one calls vc_chrootsafe() to move the dead zone. The second process opens a directory-filedescriptor and transmits it to the first process through SCM_RIGHTS. Now, this process can continue with conventional chroot() methods to come to the real /. Assuming stackable chroots (every chroot() puts the new dead zone into a list which gets processed in vfs_permissions()), the SCM_RIGHTS method can bypass these chroot() also. All you need are two processes within independent chroots which are sharing a filesystem (e.g. /home). The first process moves into the environment of the second one with the already mentioned fchdir() method. Now, it can be moved freely to '..' since the dead zone does not exist there. Another method to escape chrootsafe(), would be the movement of the current directory: one process calls chrootsafe() to move the dead zone, and goes into a directory within the new jail. Now, a second process (started within the old dead zone) moves this directory to a place which is outside of the new dead zone. The cwd-fd of the new process stays in this dir, and on the path to the real '/', the new dead zone will never be reached. Under some circumstances (two processes in independent chroot environments which are sharing a filesystem), this attack works for ordinary users also. Please not that the current 'chmod 000' hack is not affected by this attacks since it is a fixed barrier which can not be bypassed. Therefore, it will not make sense to hope on a magic chrootsafe() syscall for vservers. Alternative approaches like CLONE_NEWNS in combination with pivot_root() or 'mount --rbind <vdir> /' (suggested by Rik van Riel) must be investigated to find better methods. Enrico _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver