Subject: Re: i386 IO access and chroot()
To: None <>
From: Greg A. Woods <>
List: tech-security
Date: 07/13/2001 19:33:54
[ On Friday, July 13, 2001 at 23:02:52 (+0000), Jim Breton wrote: ]
> Subject: Re: i386 IO access and chroot()
> On Fri, Jul 13, 2001 at 06:50:11PM -0400, Greg A. Woods wrote:
> > If I'm not mistaken there are already some papers suggesting methods...
> Here is one:
> (Not saying whether this would or would not work in securelevel 2, but
> the page is very informative.)

No, that one won't work any more.  The 2nd chroot() plus fchdir() trick
was blocked in NetBSD some time ago (1999/03/22, before 1.4 was branched
if I'm reading the CVS log correctly), just as it was fixed prior to
FreeBSD-4.x.  From chroot(2):

     If the current working directory is not at or under the new root directo-
     ry, it is silently set to the new root directory.  It should be noted
     that, on most other systems, chroot() has no effect on the process's cur-
     rent directory.

     The chroot() function call appeared in 4.2BSD.  Working directory han-
     dling was changed in NetBSD 1.4 to prevent one way a process could use a
     second chroot() call to a different directory to "escape" from the re-
     stricted subtree.  The fchroot() function appeared in NetBSD 1.4.

That is quite an informative paper otherwise though!  ;-)

							Greg A. Woods

+1 416 218-0098      VE3TCP      <>     <>
Planix, Inc. <>;   Secrets of the Weird <>