Subject: Re: openat(2) and friends
To: Steinar Hamre <steinarh@pvv.ntnu.no>
From: David Laight <david@l8s.co.uk>
List: tech-kern
Date: 03/08/2005 23:46:24
> > The problem is that if there ever is a way to get an fd into the chroot
> > area, the chrooted program can get out; there's no more checking.
>
> Just to satisfy my curiosity:
>
> 1. Any fd's open when the chroot is performed. (Could easily be
> flagged at chroot time.)
> 2. rename() of directories inside the chroot to the outside. (worse)
> (collaborator on the outside "needed".)
> 3. The oh-so-magic way of passing an open fd via a socket.
> (I have no idea of how it's actually performed. Perhaps I should
> check ssh...) (As easy as 1.)
>
> Any others?
Files that are open on fd numbers greater than ulimit(NOFILE).
I haven't (yet) thought of a way to exploit this, but since programs
have (before closeall()) close fd's upto the ulimit value, there has to
be some use for having an open one with a higher value.
David
--
David Laight: david@l8s.co.uk