Subject: Re: extending chroot()
To: Steve Bellovin <>
From: Charles Blundell <>
List: tech-security
Date: 01/23/2003 11:28:31
on Thu, Jan 16, 2003 at 04:08:57PM -0500, Steve Bellovin wrote:
> I'd like to be able to "jail" various untrusted applications, such as 
> my netbrowser.  Chroot() is the obvious choice, but it requires root 
> privileges.  However -- supposed we changed chroot() so that it didn't 
> require root, but if executed by a non-root process, setuid and setgid 
> would not be honored.

If it was not for proc_isunder(), you would have an exploitable condition
allowing a chroot'd process to escape the jail, because the jailed and
non-jailed uids are not distinct. (ptrace() and friends)

There are still a few places where proc_isunder() is not used which
may allow this escape including systrace's STRIOCGETCWD; this
would require /dev/systrace in the jail or a leaked descriptor to it, or
for it to be passed by a unix domain socket; some kind of abuse of
sysctl(2) proc.*.rlimits.*; info leakage with ktrace(2).