Re: [RFC][PATCH-2.4] Prevent mounting on ".."

viro@parcelfarce.linux.theplanet.co.uk
Sun, 29 Jun 2003 15:11:03 +0100

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Willy TARREAU: "[PATCH-2.4][RESEND] Oops with bonding when enslaving IP-less interface"
Previous message: Arjan van de Ven: "Re: [RFC][PATCH-2.4] Prevent mounting on "..""

On Sun, Jun 29, 2003 at 03:09:52PM +0200, Willy TARREAU wrote:
> chroot("/var/empty") (read-only directory or file-system)
> chdir("/")
> listen(), accept(), fork(), whatever...
> -> external code injection from a cracker :
> mount("none", "..", "ramfs")
> mkdir("../mydir")
> chdir("../mydir")
> the cracker now installs whatever he wants here.

That's a BS. Same effect would be achieved by replacing ".." with ".".
Or mounting on any existing subdirectory.

If attacker can mount of chroot - you've LOST. Already. End of story.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Willy TARREAU: "[PATCH-2.4][RESEND] Oops with bonding when enslaving IP-less interface"
Previous message: Arjan van de Ven: "Re: [RFC][PATCH-2.4] Prevent mounting on "..""