> Date: Sun, 20 Sep 1998 18:32:01 -0400 (EDT)
> From: Alexander Viro <viro@math.psu.edu>
>
> # mount -t proc none .
> # echo ./../*
> <contents of the _parent_ of foo>
>
> If you're root and can mount filesystems, you lose anyways.
>
> Consider open("./1/cwd"...); open("./25/fd/5"...); etc.
Even if you can't mount filesystems you lose anyway with the standard
fd = open(".", ...); chroot("somedir"); fchdir(fd); chdir("..") a number
of times; chroot(".").
ie. you can chroot again, while keeping a handle open to a directory
outside your new chroot, then use that to walk up and chroot to the real
'/'.
Many of the cases you come across can be fixed by various "oh, just deny
this", but chroot() was never designed to be unbreakable by root with
access to execute either arbitrary code or a reasonable set of basic
utilities. It isn't on Linux, and it isn't on near any other machine.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/