> I believe that one workes, but you had to be able to open fd. What does
> not work is passing a directory in. Thus if you didn't open fd before the
> chroot, you can't get out.
> 
> If you opened fd before the chroot, well, you were silly.

Yes - I just tested it.

It is actually the way to exploit another 'feature' I've long
been worried about, but have never found an actual use for.

If you setup some kind of chroot sandbox for a user so that
certain things can be tested as root (this may be dangerous
in itself though).  Then the user could pass in an open fd to
'/' on an fd number that is above the (current hard) rlimit.nofiles
value.  Since there is no way for a process to find out that
such an fd is open, it will not be closed.

	David

-- 
David Laight: david@l8s.co.uk