[ On Saturday, July 14, 2001 at 07:02:54 (+1000), matthew green wrote: ]
> Subject: re: i386 IO access and chroot() 
>
>    With == 2 it is difficult.
> 
> this case is much more interesting.  i don't believe's possible.

If I'm not mistaken there are already some papers suggesting methods...

Indeed many of the existing methods I've seen documented are blocked by
preventing all new mounts when securelevel>=2.....

However I don't think mknod(2) is disabled at securelevel>=2 yet, and it
probably should be, though you can work around that by putting the
chroot jail on a filesystem mounted with 'nodev' (and maybe 'nosuid'
too!).

I think there could still be holes in lesser used facilities like /proc,
so leaving it mounted in view of the chroot area may be a mistake...

Various device drivers may have issues, so if there are any device nodes
visible in the chroot area....  ('nodev' and/or no mknod()....)

If there are any more buffer-overflow style vulnerabilities in the
kernel then that's another potential avenue of escape.....

I don't know if anyone's explored the possibilities of (ab)using
networking services from within the chroot jail yet either....

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>