Subject: re: i386 IO access and chroot()
To: None <>
From: Greg A. Woods <>
List: tech-security
Date: 07/13/2001 18:50:11
[ On Saturday, July 14, 2001 at 07:02:54 (+1000), matthew green wrote: ]
> Subject: re: i386 IO access and chroot() 
>    With == 2 it is difficult.
> this case is much more interesting.  i don't believe's possible.

If I'm not mistaken there are already some papers suggesting methods...

Indeed many of the existing methods I've seen documented are blocked by
preventing all new mounts when securelevel>=2.....

However I don't think mknod(2) is disabled at securelevel>=2 yet, and it
probably should be, though you can work around that by putting the
chroot jail on a filesystem mounted with 'nodev' (and maybe 'nosuid'

I think there could still be holes in lesser used facilities like /proc,
so leaving it mounted in view of the chroot area may be a mistake...

Various device drivers may have issues, so if there are any device nodes
visible in the chroot area....  ('nodev' and/or no mknod()....)

If there are any more buffer-overflow style vulnerabilities in the
kernel then that's another potential avenue of escape.....

I don't know if anyone's explored the possibilities of (ab)using
networking services from within the chroot jail yet either....

							Greg A. Woods

+1 416 218-0098      VE3TCP      <>     <>
Planix, Inc. <>;   Secrets of the Weird <>