tech-security: Re: Escaping a chroot jail

Subject: Re: Escaping a chroot jail
To: Michael Richardson <mcr@sandelman.ottawa.on.ca>
From: Steven M. Bellovin <smb@cs.columbia.edu>
List: tech-security
Date: 07/13/2005 18:42:44

In message <14566.1121292041@marajade.sandelman.ottawa.on.ca>, Michael Richards
on writes:
>
>>>>>> "Thor" == Thor Lancelot Simon <tls@rek.tjls.com> writes:
>    >> and then emulating the file system?
>
>    Thor> "Emulating" the file system?
>
>  cd /usr/src/sbin/dump; make
>

Or mknod /dev/kmem and overwrite the root vnode pointer in the 
process's data structures.

chroot() has never been proof against root, for all these reasons and 
more.  It's not a new observation.

		--Steven M. Bellovin, http://www.cs.columbia.edu/~smb