Re: Chroot bug

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

To: Miloslav Semler <majkls@...>

Cc: David Newall <david@...>, Adrian Bunk <bunk@...>, Alan Cox <alan@...>, Serge E. Hallyn <serge@...>, Bill Davidsen <davidsen@...>, Philipp Marek <philipp@...>, <7eggert@...>, <bunk@...>, <linux-kernel@...>

Subject: Re: Chroot bug

Date: Wednesday, September 26, 2007 - 10:02 am

On Sep 26, 2007, at 09:11:33, Miloslav Semler wrote:
quoted text> + long directory_is_out(struct vfsmount *wdmnt, struct dentry  
> *wdentry,
> + 		struct vfsmount *rootmnt, struct dentry *root)
> + {
> + 	struct nameidata oldentry, newentry;
> + 	long ret = 1;
> + 	
> +         read_lock(&current->fs->lock);
> + 	oldentry.dentry = dget(wdentry);
> + 	oldentry.mnt = mntget(wdmnt);
> +         read_unlock(&current->fs->lock);
> + 	newentry.dentry = oldentry.dentry;
> + 	newentry.mnt = oldentry.mnt;
> + 	
> + 	follow_dotdot(&newentry);
> + 	/* check it */
> + 	if(newentry.dentry == root &&
> + 		newentry.mnt == rootmnt){
> + 		ret = 0;
> + 		goto out;
> + 	}
> + 	
> + 	while(oldentry.mnt != newentry.mnt ||
> + 		oldentry.dentry != newentry.dentry){
> + 		
> + 		memcpy(&oldentry, &newentry, sizeof(struct nameidata));
> + 		follow_dotdot(&newentry);
> + 		
> + 		/* check it */
> + 		if(newentry.dentry == root &&
> + 			newentry.mnt == rootmnt){
> + 			ret = 0;
> + 			goto out;
> + 		}
> + 	}
> + out:
> + 	dput(newentry.dentry);
> + 	mntput(newentry.mnt);
> + 	return ret;
> + }

This is basically both painfully racy and easily broken with umount  
and/or access to proc.  See this busybox-compatible example:

## Set up chroot
mkdir /root1
mount -o mode=0750 -t tmpfs tmpfs /root1
cp -a /bin/busybox /root1/busybox

## Enter chroot
chroot /root1 /busybox

## Mount proc
/busybox mkdir /proc
/busybox mount -t proc proc /proc

## Poke around root filesystem (this may be all you need)
/busybox ls /proc/1/root/

## Detach our chroot so we're no longer a sub-directory
/busybox umount -l /proc/1/root/root1

## Now we can easily chroot to the original root, since it isn't in  
our ".." path
exec /busybox chroot /proc/1/root /bin/sh


See how easy that is?  Unless you stick the above parent-directory  
check (which is still racy against directories being moved around)  
for *EVERY* directory component of *EVERY* open/chdir-ish syscall,  
you are still going to be easily worked around through many different  
methods.

Cheers,
Kyle Moffett

-
unsubscribe noticeTo unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]

Messages in current thread:

Re: sys_chroot+sys_fchdir Fix, Bodo Eggert, (Thu Sep 20, 7:13 am)

Re: sys_chroot+sys_fchdir Fix, Philipp Marek, (Thu Sep 20, 7:59 am)

Re: sys_chroot+sys_fchdir Fix, David Newall, (Thu Sep 20, 12:06 pm)

Re: sys_chroot+sys_fchdir Fix, Philipp Marek, (Thu Sep 20, 12:17 pm)

Re: sys_chroot+sys_fchdir Fix, David Newall, (Thu Sep 20, 2:02 pm)

Re: sys_chroot+sys_fchdir Fix, Bill Davidsen, (Thu Sep 20, 4:53 pm)

Re: sys_chroot+sys_fchdir Fix, David Newall, (Fri Sep 21, 4:29 am)

Re: sys_chroot+sys_fchdir Fix, Serge E. Hallyn, (Mon Sep 24, 5:32 pm)

Re: sys_chroot+sys_fchdir Fix, David Newall, (Mon Sep 24, 6:04 pm)

Re: sys_chroot+sys_fchdir Fix, Serge E. Hallyn, (Mon Sep 24, 7:02 pm)

Re: sys_chroot+sys_fchdir Fix, Serge E. Hallyn, (Mon Sep 24, 7:00 pm)

Re: sys_chroot+sys_fchdir Fix, David Newall, (Tue Sep 25, 3:45 am)

Re: sys_chroot+sys_fchdir Fix, Serge E. Hallyn, (Tue Sep 25, 7:49 am)

Re: sys_chroot+sys_fchdir Fix, David Newall, (Tue Sep 25, 9:58 am)

Chroot bug (was: sys_chroot+sys_fchdir Fix), David Newall, (Tue Sep 25, 11:10 am)

Re: Chroot bug (was: sys_chroot+sys_fchdir Fix), Bodo Eggert, (Wed Sep 26, 3:23 pm)

Re: Chroot bug (was: sys_chroot+sys_fchdir Fix), Adrian Bunk, (Tue Sep 25, 11:32 am)

Re: Chroot bug, Miloslav Semler, (Tue Sep 25, 11:43 am)

Re: Chroot bug, Adrian Bunk, (Tue Sep 25, 12:02 pm)

Re: Chroot bug (was: sys_chroot+sys_fchdir Fix), Alan Cox, (Tue Sep 25, 11:30 am)

Re: Chroot bug, David Newall, (Tue Sep 25, 11:35 am)

Re: Chroot bug, Arjan van de Ven, (Tue Sep 25, 12:33 pm)

Re: Chroot bug, Alan Cox, (Tue Sep 25, 11:48 am)

Re: Chroot bug, David Newall, (Tue Sep 25, 7:50 pm)

Re: Chroot bug, Adrian Bunk, (Tue Sep 25, 8:55 pm)

Re: Chroot bug, Kyle Moffett, (Wed Sep 26, 1:21 am)

Re: Chroot bug, David Newall, (Wed Sep 26, 6:27 am)

Re: Chroot bug, Kyle Moffett, (Wed Sep 26, 8:54 am)

Re: Chroot bug, Miloslav Semler, (Wed Sep 26, 9:11 am)

Re: Chroot bug, Kyle Moffett, (Wed Sep 26, 10:02 am)

Re: Chroot bug, Miloslav Semler, (Wed Sep 26, 11:01 am)

Re: Chroot bug, Jiri Kosina, (Thu Sep 27, 9:49 am)

Re: Chroot bug, Al Viro, (Wed Sep 26, 9:42 am)

Re: Chroot bug, Miloslav Semler, (Wed Sep 26, 10:51 am)

Re: Chroot bug, Olivier Galibert, (Wed Sep 26, 6:45 am)

Re: Chroot bug, David Newall, (Wed Sep 26, 7:13 am)

Re: Chroot bug, Olivier Galibert, (Wed Sep 26, 11:02 am)

Re: Chroot bug, linux-os (Dick Johnson), (Wed Sep 26, 9:18 am)

Re: Chroot bug, Willy Tarreau, (Wed Sep 26, 1:25 am)

Re: Chroot bug, Alan Cox, (Tue Sep 25, 8:18 pm)

Re: Chroot bug, David Newall, (Wed Sep 26, 6:24 am)

Re: Chroot bug, Alan Cox, (Wed Sep 26, 6:47 am)

Re: Chroot bug, David Newall, (Wed Sep 26, 7:06 am)

Re: Chroot bug, Bongani Hlope, (Wed Sep 26, 9:13 am)

Re: Chroot bug, Alan Cox, (Wed Sep 26, 7:20 am)

Re: Chroot bug, Jan Engelhardt, (Tue Sep 25, 11:47 am)

Re: Chroot bug (was: sys_chroot+sys_fchdir Fix), Jan Engelhardt, (Tue Sep 25, 11:20 am)

Re: Chroot bug, Miloslav Semler, (Tue Sep 25, 11:39 am)

Re: Chroot bug, David Newall, (Tue Sep 25, 11:41 am)

Re: Chroot bug, Jan Engelhardt, (Tue Sep 25, 11:48 am)

Re: Chroot bug, David Newall, (Tue Sep 25, 4:51 pm)

Re: Chroot bug, Miloslav Semler, (Tue Sep 25, 12:19 pm)

Re: Chroot bug, Serge E. Hallyn, (Tue Sep 25, 12:53 pm)

Re: Chroot bug, Jan Engelhardt, (Tue Sep 25, 12:52 pm)

Re: Chroot bug, Miloslav Semler, (Tue Sep 25, 1:00 pm)

Re: Chroot bug, Jan Engelhardt, (Tue Sep 25, 1:05 pm)

Re: Chroot bug, Al Viro, (Tue Sep 25, 1:09 pm)

Re: Chroot bug, Miloslav Semler, (Tue Sep 25, 1:19 pm)

Re: Chroot bug, Miloslav Semler, (Tue Sep 25, 1:09 pm)

Re: sys_chroot+sys_fchdir Fix, majkls, (Thu Sep 20, 8:52 am)


linux-kernel:
Pierre Ossman	Re: [RFC][PATCH] cpuidle: avoid singing capacitors
Greg KH	[GIT PATCH] driver core patches against 2.6.24
Greg KH	Re: Announce: Linux-next (Or Andrew's dream :-))
Rene Herman	2.6.26, PAT and AMD family 6
git:

linux-netdev:
Jesper Krogh	Re: NIU - Sun Neptune 10g - Transmit timed out reset (2.6.24)
Gerrit Renker	[PATCH 27/37] dccp: Integration of dynamic feature activation - part 2 (server side)
Arjan van de Ven	Re: [GIT]: Networking
Radu Rendec	htb parallelism on multi-core platforms
openbsd-misc: