Chroot in ftpd on newer kernel versions

Rich Felker dalias at aerifal.cx
Wed Oct 3 13:15:35 UTC 2012


On Wed, Oct 03, 2012 at 05:47:12AM +0200, Harald Becker wrote:
> Hi Rich !
> 
> On 02-10-2012 22:56 Rich Felker <dalias at aerifal.cx> wrote:
> 
> >chroot has never been possible for non-root users. Allowing non-root
> >users to chroot will almost surely allow them to obtain root if there
> >are any suid-root binaries on the system.
> 
> At least on some 2.6er kernel versions I had bean able to chroot to
> accessible directories as none root.

Must be some broken patched kernel.

> And sure, if there are suid-root
> programs inside the chroot path you may obtain such rights, but this is
> true even before you do a chroot.

The attack is much easier and is not possible without chroot. It
basically goes like this:

1. Make a hard link to any suid program (except static-linked ones)
inside the tree that will be your chroot. This works unless all suid
binaries are on separate physical filesystems from filesystems
writable by normal users.

2. Make a static-linked shell and store it in the chroot as
"/lib/ld-linux.so.2".

3. chroot() and run the suid binary. You now have a root shell.

> I do not use the chroot for sake of
> security, I use it for kind of novice protection and simplicity. Here I
> wanted to isolate Busybox ftpd (which is a pure anonymous access
> server) to a specific path, so users do not see (or accidentally try
> to access) other files via ftp access.

Yes, I understand what you're trying to do. The ftpd chould just
virtualize the fs, doing its own restriction to keep you from going
outside, but chroot then dropping root privs would also work, and I
think that's the feature you want. If that feature is missing it
should probably be added.

> I'm talking  about the Busybox ftpd applet which contains a chroot
> (working only when run as root user) but does not have code to drop
> privileges to a different user after doing chroot. So I call this an
> issue in using that applet. There is at least some inconsistency and

I agree. This should be fixed if it's an issue.

> Do you really complain about not using Busybox ftpd for such a purpose?
> How do you build and install different ftpd packages without even
> having (yet) a compiler on the machine? ... before you are able to get
> things ready to build different packages.

I would not use Busybox ftpd for any long-term/serious use, but I
agree it's fine for bootstrapping a new system when it's not connected
to public networks.

Rich


More information about the busybox mailing list