From: Enrico Scholz (enrico.scholz_at_informatik.tu-chemnitz.de)
Date: Wed 26 Nov 2003 - 01:55:22 GMT
on IRC two days ago we had a discussion about secure chroot()
implementation. To make it short: it does not exist a such one.
The details: the problem of current chroot(2) is that this syscall is
not stackable -- on every new chroot(2) invocation the dead zone will be
set to a new value and the old one dropped. This fact allows to bypass
the chroot by moving into an "free" directory with 'fchdir(fd)' and go
from there with subsequent 'chdir("..")' to the real root.
A vserver kernel-patch introduced a new chrootsafe() syscall which
tries to prevent the 'fchdir()' part by forbidding open directories as
chrootsafe() time. So, the 'fchdir(fd)' can not be executed.
Sounds really good and secure on first glance, but kloo_ brought in the
idea to transfer filedescriptors via SCM_RIGHTS -- and it works; see
(replace vc_chrootsafe() with your own implementation; the actual
program uses an experimental syscall which was written by Herbert
Poetzl to demonstrate the issue).
In attack-mode, this program forks into two processes. The first one
calls vc_chrootsafe() to move the dead zone. The second process opens a
directory-filedescriptor and transmits it to the first process through
SCM_RIGHTS. Now, this process can continue with conventional chroot()
methods to come to the real /.
Assuming stackable chroots (every chroot() puts the new dead zone into a
list which gets processed in vfs_permissions()), the SCM_RIGHTS method
can bypass these chroot() also. All you need are two processes within
independent chroots which are sharing a filesystem (e.g. /home). The
first process moves into the environment of the second one with the
already mentioned fchdir() method. Now, it can be moved freely to '..'
since the dead zone does not exist there.
Another method to escape chrootsafe(), would be the movement of the
current directory: one process calls chrootsafe() to move the dead zone,
and goes into a directory within the new jail. Now, a second process
(started within the old dead zone) moves this directory to a place which
is outside of the new dead zone. The cwd-fd of the new process stays in
this dir, and on the path to the real '/', the new dead zone will never
Under some circumstances (two processes in independent chroot environments
which are sharing a filesystem), this attack works for ordinary users
Please not that the current 'chmod 000' hack is not affected by this
attacks since it is a fixed barrier which can not be bypassed.
Therefore, it will not make sense to hope on a magic chrootsafe() syscall
for vservers. Alternative approaches like CLONE_NEWNS in combination with
pivot_root() or 'mount --rbind <vdir> /' (suggested by Rik van Riel) must
be investigated to find better methods.
Vserver mailing list