kern.chroot_allow_open_directories

[Pawel Jakub Dawidek]

On Thu, Jul 19, 2007 at 08:34:29PM +0000, Stef Walter wrote:
> Pieter de Boer wrote:
> >> Is this sysctl meant to prevent breaking out of a chroot? Or am I
> >> missing the point of 'kern.chroot_allow_open_directories'?
> >>
> > If the sysctl was set to 0 at the moment chroot() was called, then the
> > chroot() would have failed if the calling process had open directories
> > (that's what the sysctl is meant to do, if I'm understanding the source
> > right). If directories weren't open, the chroot() would work, but the
> > process would obviously not be able to open directories outside the
> > chroot after that, even if you'd set the sysctl to 1.
> > 
> > As I see it, there's no problem here, but could be wrong; chroot() is
> > tricky afaik..
> 
> Yes, it sure is.
> 
> However if a root process inside the chroot jail reset that sysctl,
> after which it seems it could perform the usual break out thingy:
> 
> http://www.bpfh.net/simes/computing/chroot-break.html
> 
> I guess what I was wondering, is if FreeBSD is in fact immune to this
> attack, and whether it makes sense to chroot superuser processes on FreeBSD.

Superuser running inside chroot(2) has many ways to escape. You
bascially gain no additional security in chrooting a process that will
continue to operate with privileges.
You should either chroot and drop privileges or use jail(2).

-- 
Pawel Jakub Dawidek                       http://www.wheel.pl
pjd at FreeBSD.org                           http://www.FreeBSD.org
FreeBSD committer                         Am I Evil? Yes, I Am!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20070810/36c253cc/attachment.pgp