[1108] in linux-security and linux-alert archive
[linux-security] chroot (1) security hole
daemon@ATHENA.MIT.EDU (Ivan Buttinoni)
Wed Aug 28 20:11:50 1996
Date: Tue, 27 Aug 1996 12:51:33 +0100 (GMT+0100)
From: Ivan Buttinoni <ivan@cibi.it>
Reply-To: Ivan Buttinoni <ivan@cibi.it>
To: linux-security@tarsier.cv.nrao.edu
In-Reply-To: <m0ujZR8-000RB3C@omega-3.null.org>
Environment:
Linux 2.0.13
libc.so.5 => libc.so.5.2.18
gcc version 2.7.2
Action:
bash# cd /
bash# chroot /restricted/area /bin/bash
shell-init: could not get current directory: getwd: cannot access parent
directories
Problem:
After 'Action', I'm not in "/restricted/area", I'm in the real "/"!
[REW: Yes. The problem lies in the fact that the current working
directory isn't changed by the chroot system call. Could someone
check the chroot program's sources and report wether it does a
chdir ("/"); after the chroot system call.
Note that you DONT want someone being "root" in a restricted area.
You can more or less always "break out of" a chrooted area if you are
root in there. There are too many "exits" for root to fix them all.
The point of a chrooted area is to prevent normal users from having
access to the programs which form a security risk.]
Ivan
| <IB> Ivan Buttinoni - e-mail: ivan@cibi.it - Tel. + 39 - 338 - 6134099 |
|Via G. Carducci, 17 Albino (BG) 24021 ITALY WWW: http://www.cibi.it/ </IB> |