|
[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]
|
Re: [PLUG] Thanks for inviting me to talk
|
On Thu, Dec 08, 2005 at 07:52:59AM -0500, Mark Dominus wrote:
> The main page for the talk is at:
>
> http://perl.plover.com/classes/unixsec/
I mentioned last night that it was possible on modern systems for root to
easily break out of a chroot jail, but unfortunately I couldn't remember
the specific incantation at the time. I've seen been able to refresh my
memory; the procedure is as follows:
1) Open a file descriptor pointing to the current working directory.
2) Create a temporary directory within the jail, and chroot() to it.
3) Using fchdir(), change the working directory to the file descriptor
saved from step 1.
4) Change the working directory to ".." as many times as necessary to
reach the top of the real file system.
5) chroot() to the current working directory.
An example may be found at:
http://michael.toren.net/code/tmp/jailbird.c
and executed as:
gcc -static -Wall -o jailbird jailbird.c && sudo chroot . ./jailbird dir
This works today on my Linux 2.6.12 system, but may not work on others.
For example, the chroot() man page on FreeBSD 5.3 indicates that if
kern.chroot_allow_open_directories is set to zero, the chroot() call
will fail if there are any open directories.
-mct
--
perl -e'$u="\4\5\6";sub H{8*($_[1]%79)+($_[0]%8)}sub G{vec$u,H(@_),1}sub S{vec
($n,H(@_),1)=$_[2]}$_=q^{P`clear`;for$iX){PG($iY)?"O":" "forX8);P"\n"}for$iX){
forX8){$c=scalar grep{G@$_}[$i-1Y-1Z-1YZ-1Y+1ZY-1ZY+1Z+1Y-1Z+1YZ+1Y+1];S$iY,G(
$iY)?$c=~/[23]/?1:0:$c==3?1:0}}$u=$n;select$M,$C,$T,.2;redo}^;s/Z/],[\$i/g;s/Y
/,\$_/xg;s/X/(0..7/g;s/P/print+/g;eval' # Michael C. Toren <mct@toren.net>
___________________________________________________________________________
Philadelphia Linux Users Group -- http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion -- http://lists.phillylinux.org/mailman/listinfo/plug
|
|