Re: kern.chroot_allow_open_directories
Pieter de Boer wrote:
>> Is this sysctl meant to prevent breaking out of a chroot? Or am I
>> missing the point of 'kern.chroot_allow_open_directories'?
>>
> If the sysctl was set to 0 at the moment chroot() was called, then the
> chroot() would have failed if the calling process had open directories
> (that's what the sysctl is meant to do, if I'm understanding the source
> right). If directories weren't open, the chroot() would work, but the
> process would obviously not be able to open directories outside the
> chroot after that, even if you'd set the sysctl to 1.
>
> As I see it, there's no problem here, but could be wrong; chroot() is
> tricky afaik..
Yes, it sure is.
However if a root process inside the chroot jail reset that sysctl,
after which it seems it could perform the usual break out thingy:
http://www.bpfh.net/simes/computing/chroot-break.html
I guess what I was wondering, is if FreeBSD is in fact immune to this
attack, and whether it makes sense to chroot superuser processes on FreeBSD.
Cheers,
Stef
_______________________________________________
freebsd-security@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org"
討論串 (同標題文章)
完整討論串 (本文為第 4 之 5 篇):