Subject: re: i386 IO access and chroot()
To: None <email@example.com>
From: Greg A. Woods <firstname.lastname@example.org>
Date: 07/13/2001 18:50:11
[ On Saturday, July 14, 2001 at 07:02:54 (+1000), matthew green wrote: ]
> Subject: re: i386 IO access and chroot()
> With == 2 it is difficult.
> this case is much more interesting. i don't believe's possible.
If I'm not mistaken there are already some papers suggesting methods...
Indeed many of the existing methods I've seen documented are blocked by
preventing all new mounts when securelevel>=2.....
However I don't think mknod(2) is disabled at securelevel>=2 yet, and it
probably should be, though you can work around that by putting the
chroot jail on a filesystem mounted with 'nodev' (and maybe 'nosuid'
I think there could still be holes in lesser used facilities like /proc,
so leaving it mounted in view of the chroot area may be a mistake...
Various device drivers may have issues, so if there are any device nodes
visible in the chroot area.... ('nodev' and/or no mknod()....)
If there are any more buffer-overflow style vulnerabilities in the
kernel then that's another potential avenue of escape.....
I don't know if anyone's explored the possibilities of (ab)using
networking services from within the chroot jail yet either....
Greg A. Woods
+1 416 218-0098 VE3TCP <email@example.com> <firstname.lastname@example.org>
Planix, Inc. <email@example.com>; Secrets of the Weird <firstname.lastname@example.org>