Subject: Escaping a chroot jail
To: None <tech-security@NetBSD.org>
From: Edgar =?iso-8859-1?B?RnXf?= <firstname.lastname@example.org>
Date: 07/13/2005 23:13:16
I discussed this with Wolfgang Solfrank last week, and he suggested
I might communicate it to the security officer, who in turn suggested
discussing it here:
Is everybody aware of the fact that you should be able to escape a chroot jail
(given root privilleges and the ability to execute arbitrary code) simply
by doing a mknod() for the root file systems raw device inside the jail
and then emulating the file system?
OK, we have securelevel, but how many people are running i386 machines with
the need for XFree86? No, not me. I have cgsix attached to /dev/fb or,
for i386, a second machine set up as a diskless client just running XFree86.
In case the situation described is considered a problem, the two remedies
I can think of are either disallowing mknod() inside a chroot (at least for
disk devices) or forcibly inheriting the nodev mount option: i. e. if /var
is mounted nodev, I can't mount_mfs /var/chroot/blurb/dev non-nodev.