[1108] in linux-security and linux-alert archive

home help back first fref pref prev next nref lref last post

[linux-security] chroot (1) security hole

daemon@ATHENA.MIT.EDU (Ivan Buttinoni)
Wed Aug 28 20:11:50 1996

Date: Tue, 27 Aug 1996 12:51:33 +0100 (GMT+0100)
From: Ivan Buttinoni <ivan@cibi.it>
Reply-To: Ivan Buttinoni <ivan@cibi.it>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0ujZR8-000RB3C@omega-3.null.org>

Environment:
 Linux 2.0.13
 libc.so.5 => libc.so.5.2.18
 gcc version 2.7.2

Action:
 bash# cd /
 bash# chroot /restricted/area /bin/bash
 shell-init: could not get current directory: getwd: cannot access parent
  directories
 
Problem:
 After 'Action', I'm not in "/restricted/area", I'm in the real "/"!

[REW: Yes. The problem lies in the fact that the current working 
directory isn't changed by the chroot system call. Could someone
check the chroot program's sources and report wether it does a 
chdir ("/"); after the chroot system call. 

Note that you DONT want someone being "root" in a restricted area.
You can more or less always "break out of" a chrooted area if you are
root in there. There are too many "exits" for root to fix them all.
The point of a chrooted area is to prevent normal users from having
access to the programs which form a security risk.]

Ivan

| <IB> Ivan Buttinoni - e-mail: ivan@cibi.it  -  Tel. + 39 - 338 - 6134099  |
|Via G. Carducci, 17 Albino (BG) 24021 ITALY WWW: http://www.cibi.it/ </IB> |

home help back first fref pref prev next nref lref last post