ftpd authentication [PATCH] ftpd: NOMMU/chroot fix

Ralf Friedl Ralf.Friedl at online.de
Thu Jun 26 12:07:59 UTC 2014


Denys Vlasenko wrote:
> On Thu, Jun 26, 2014 at 11:45 AM, Morten Kvistgaard
> <MK at pch-engineering.dk> wrote:
>> I've attached my strace.
>>
>> I'm not sure that it tells me anything though.
>> I've run: sudo strace -p<inetd_pid> -f -o ftpd.strace
>> Is there a better way?
>>
>> Anyway, the current code will exit jail with the following code:
>>
>> ...
>> if (fchdir(G.root_fd) != 0)
>>          _exit(127);
>> ...
>>
>> But on my Ubuntu and uClinux that's not enough to break out of jail.
> What do you mean? In your strace, fchdir succeeds:
>
> 15144 fchdir(3 <unfinished ...>
> 15143 <... mmap2 resumed> )             = 0xb77d0000
> 15144 <... fchdir resumed> )            = 0
>
>> And so the following code will fail:
>>
>> ...
>> /* + 1: we must use relative path here if in chroot.
>> * For example, execv("/proc/self/exe") will fail, since
>>   * it looks for "/proc/self/exe" _relative to chroot!_ */
>> execv(bb_busybox_exec_path + 1, (char**) argv);
>> _exit(127);
>> ...
>>
>>
>> The strace might reflect this:
>> ...
>> execve("proc/self/exe", ["ftpd", "-l", "/"], [/* 9 vars */]) = -1 ENOENT (No such file or directory)
>> ...
> This is strange. Any ideas why this fails on your machine?
Morten Kvistgaard wrote:
> But on my Ubuntu and uClinux that's not enough to break out of jail. And so the following code will fail:
I have no idea why soneone would use NOMMU on Ubuntu, but most likely 
busybox is dynamically linked and therefor exec busybox fails because it 
doesn't find the dynamic linker. Even if it would find the dynamic 
linker, the linker wouldn't find the dynamic libraries.

Why does the child process only chdir and no chroot?


More information about the busybox mailing list