> > The problem is that if there ever is a way to get an fd into the chroot 
> > area, the chrooted program can get out; there's no more checking.
> 
> Just to satisfy my curiosity:
> 
> 1. Any fd's open when the chroot is performed. (Could easily be
>    flagged at chroot time.)
> 2. rename() of directories inside the chroot to the outside. (worse)
>    (collaborator on the outside "needed".)
> 3. The oh-so-magic way of passing an open fd via a socket.
>    (I have no idea of how it's actually performed. Perhaps I should
>    check ssh...) (As easy as 1.)
> 
> Any others?

Files that are open on fd numbers greater than ulimit(NOFILE).
I haven't (yet) thought of a way to exploit this, but since programs
have (before closeall()) close fd's upto the ulimit value, there has to
be some use for having an open one with a higher value.

	David

-- 
David Laight: david@l8s.co.uk