Mailinglist Archive: opensuse-security (260 mails)

< Previous Next >
Re: [suse-security] dhcpd patch
  • From: Thomas Biege <thomas@xxxxxxx>
  • Date: Tue, 25 Jul 2000 13:56:10 +0200 (CEST)
  • Message-id: <Pine.LNX.4.21.0007251350350.26774-100000@xxxxxxxxxxxxxx>
On Tue, 25 Jul 2000, Roman Drahtmueller wrote:

> > hm, the guy, who wrotes that patch seems not very familiar with chroot()ed
> > environments. he misses the chdir() after the chroot(), which makes the
> > chroot jail unsecure. to be on the safe track initgroups() should be
> Just a brief note, since people often tend to consider chroot() a security
> feature of the kernel:
> As long as a process inside a chroot()ed environment is capable of doing
> chroot(2), the process will be able to break out. Executing chdir(2) after
> chroot(2) doesn't really remedy this illness.

if the process could chroot(), it has root privileges. with the power of
root you have 1001 ways to break chroot. it's also possible to break
chroot without root.

> Try this: chroot(1) as root and then execute the little q+d hack
> underneath my sig to break out. You might want to link it statically if
> you don't have the necessary libraries around.

AFAIK this bug does not work on all Unix derivates.

Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@xxxxxxx Function: Security Support & Auditing
"lynx -source | pgp -fka"
Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47

< Previous Next >