tech-kern: Re: chroot(2)

Subject: Re: chroot(2)
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Eduardo E. Horvath <eeh@one-o.com>
List: tech-kern
Date: 10/02/1998 09:11:32
On Fri, 2 Oct 1998, der Mouse wrote:

> > i've always hated chroot(2)'s inability to correctly deal with leter
> > normal users do this.  from a security perspective, the functionality
> > is really nice, but having to be root *first* is a lose...
> 
> Well, if you just take a current kernel and remove the suser() check
> from chroot, you open up two big holes: (1) it's really easy to do
> things like build your own /etc/master.passwd in a chroot tree,
> hardlink in su, and get yourself a root shell; and (2) it's really easy
> to escape from a chrooted jail, provided there's at least one
> subdirectory of the jail's root (which is (almost?) invariably true).
> 
> I see no indication that you like or dislike my suggestions for dealing
> with those problems, nor did you provide any of your own, nor even an
> indication that you didn't consider them problems.
> 
> In response to my note, one person has pointed out that chdir/fchdir
> needs some kind of restriction, or (2) is still pretty easy even if
> chroot is restricted to absolute pathnames.  Thus, I modify my
> suggestion for (2) to say that non-root users cannot chroot or chdir
> (including fchdir and fchroot, the latter nonexistent ATM anyway) to a
> directory that is not under the current root (one from which walking ..
> links doesn't lead to the processes' current root).  If this is done,
> the "absolute path only" restriction on chroot can be removed, since
> its goal is better served by this restriction.

This seems to be getting complicated.  I figure you can solve the security
hole if you prevent any chroot-ed process from acquiring root privileges.
This can be handled by either preventing a process from transitioning to
[res]uid = 0 or by removing the chroot on the transition from [res]uid !=
0 -> [res]uid == 0 so things like `su' and `login' will read the real
passwd file.  Disabling the non-root => root transition is probably safer.
That way if you manage to escape from jail you still can't do much harm.

OTOH, these changes will prevent the OS from virtualizing itself since
the root -> user -> root transition would be disallowed.  Is reaquiring
root privilege safe under the present scheme?

=========================================================================
Eduardo Horvath				eeh@one-o.com
	"I need to find a pithy new quote." -- me