Re: [useradd] Adding user fails in vserver

About this list Date view Thread view Subject view Author view Attachment view

Date: Tue Feb 05 2002 - 22:46:10 EST

On Tuesday, 5 February 2002 at 13:51, Jacques Gelinas wrote:

> On Tue, 5 Feb 2002 18:52:49 -0500, wrote
> > /* chroot call - still leaves the cwd pointing outside vserver */
> > if(chroot(root_dir)) { perror("chroot failed"); exit(1) };
> > /* fix the cwd */
> > if(chdir("/") { perror("chdir failed"); exit(1) };
> > /* it should be safe at this point, right? */
> The problem is not the first chroot (the one used to "enter" the vserver). the
> problem is doing a second chroot while keeping the current directory behind.

It is my understanding that all the considered chroot exploits ( we are not talking about using
devices and mounting tricks as this capability is disabled in vserver ) are based on either
using file handle that was open before the first chroot, or the current directory from
before the first chroot.

Unless I'm missing something, the solution is simple - do not leave any file handles open
when you do chroot and do chdir("/") immediately after. Problem solved.

> Once the chroot is done, you are free to do chdir (".."). Since the test is perform
> only if the current directory == the process root directory, chdir("..") works and let
> you out of the original vserver root directory.

If you did chdir("/") after the first chroot, subsequent chroot and chdir("..") will not get you

p.s. speaking of open file handles, what about stdin, stdout and stderr of a process before chroot
and after. How is that handled?

About this list Date view Thread view Subject view Author view Attachment view

This archive was generated by hypermail 2.1.4 : Mon Aug 19 2002 - 12:01:00 EDT