switch_root and mount move
Laurent Bercot
ska-dietlibc at skarnet.org
Wed May 2 23:13:14 UTC 2012
> As I understood from your own description in switch_root.c, you are
> calling chdir("/") to prevent such an ability.
> Can an attacker break out from this chroot (applet called from bash,
> not a chroot() system call in a C program)?
Same thing. If you can do it in C, you can do it in shell.
It takes a few lines of C code to write the following programs:
* "opendir fd dir remainder" performs an opendir() system call on dir,
assigns the result to the fd file descriptor, and execs into remainder.
* "fchrootdir fd remainder" performs fchdir(fd), close(fd), chroot(".")
and execs into remainder.
Then breaking out of a chroot is a breeze:
Say A is the script that runs under a chroot. Instead of writing
"chroot /newroot A", you write "opendir 3 / chroot /newroot fchrootdir 3 A"
and A will execute under the old root, despite the chroot command.
--
Laurent
More information about the busybox
mailing list