[ On Friday, July 13, 2001 at 23:02:52 (+0000), Jim Breton wrote: ]
> Subject: Re: i386 IO access and chroot()
>
> On Fri, Jul 13, 2001 at 06:50:11PM -0400, Greg A. Woods wrote:
> > If I'm not mistaken there are already some papers suggesting methods...
> 
> Here is one:
> 
> http://www.bpfh.net/simes/computing/chroot-break.html
> 
> (Not saying whether this would or would not work in securelevel 2, but
> the page is very informative.)

No, that one won't work any more.  The 2nd chroot() plus fchdir() trick
was blocked in NetBSD some time ago (1999/03/22, before 1.4 was branched
if I'm reading the CVS log correctly), just as it was fixed prior to
FreeBSD-4.x.  From chroot(2):

     If the current working directory is not at or under the new root directo-
     ry, it is silently set to the new root directory.  It should be noted
     that, on most other systems, chroot() has no effect on the process's cur-
     rent directory.

  HISTORY
     The chroot() function call appeared in 4.2BSD.  Working directory han-
     dling was changed in NetBSD 1.4 to prevent one way a process could use a
     second chroot() call to a different directory to "escape" from the re-
     stricted subtree.  The fchroot() function appeared in NetBSD 1.4.

That is quite an informative paper otherwise though!  ;-)

-- 
							Greg A. Woods

+1 416 218-0098      VE3TCP      <gwoods@acm.org>     <woods@robohack.ca>
Planix, Inc. <woods@planix.com>;   Secrets of the Weird <woods@weird.com>