[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[ale] chroot and /proc?

Subject: [ale] chroot and /proc?
From: dkg at fifthhorseman.net (Daniel Kahn Gillmor)
Date: Tue, 01 Apr 2008 17:16:31 -0400
In-reply-to: <[email protected]> (Brian Pitts's message of "Tue\, 01 Apr 2008 14\:36\:23 -0400")
References: <[email protected]> <[email protected]>

On Tue 2008-04-01 14:36:23 -0400, Brian Pitts wrote:

> You can only muck around in /proc if you have root access. It's my 
> understanding that if you have root access, you can get out of a chroot.

Brian's got it here.  If your daemon is running with superuser
privileges within the chroot, it can mount proc wherever and whenever
it wants anyway:

 mkdir /wherever
 mount -t proc proc /wherever

and then do whatever it wants to with it.

Furthermore, if yer daemon is compromised as the root user, it can do
nasty things like zero out your primary hard disk, chrooted or not:

 mknod /proxy-for-hda b 3 0
 dd if=/dev/zero of=/proxy-for-hda

/proc is really useful, and is well-locked-down from the kernel's
side.  There are weaker links to worry about.

       --dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 826 bytes
Desc: not available
Url : http://mail.ale.org/pipermail/ale/attachments/20080401/9a9b0bf7/attachment-0001.bin

References:
- [ale] chroot and /proc?
  - From: jlightner at water.com (Jeff Lightner)
- [ale] chroot and /proc?
  - From: brian at polibyte.com (Brian Pitts)

Prev by Date: [ale] Tweaking 'emacs' font size
Next by Date: [ale] Ethereal
Previous by thread: [ale] chroot and /proc?
Next by thread: [ale] ALE Northeast Meeting, April 3, 2008
Index(es):
- Date
- Thread