top | item 42264451

(no title)

Teongot | 1 year ago

If you can get a suid root binary into the chroot, then you can control its configuration files to bypass security restrictions.

   $ ln /usr/bin/sudo ./my-chroot
   $ echo "$USER ALL=(ALL) NOPASSWD: ALL" > ./my-chroot/etc/sudoers.d/01-oops
   $ chroot ./my-chroot
   $ sudo bash

modern Linux distributions prevent creation of hard links to suid binaries, but the restrictions on chroot came years before that.

discuss

cedws|1 year ago

Can’t SUID binaries in chroots be ignored, like the nosuid mount flag?

blueflow|1 year ago

Linux namespaces can do that, with a UID namespace, you drop the ability to do SUID, and then you can open a mount namespace and bind-mount and chroot as you like.