Re: [RFC][PATCH-2.4] Prevent mounting on ".."

Willy TARREAU (willy@w.ods.org)
Sun, 29 Jun 2003 16:20:47 +0200

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Ricardo Galli: "Re: Dell vs. GPL"
Previous message: Willy TARREAU: "[PATCH-2.4][RESEND] Oops with bonding when enslaving IP-less interface"

On Sun, Jun 29, 2003 at 03:11:03PM +0100, viro@parcelfarce.linux.theplanet.co.uk wrote:
> On Sun, Jun 29, 2003 at 03:09:52PM +0200, Willy TARREAU wrote:
> > chroot("/var/empty") (read-only directory or file-system)
> > chdir("/")
> > listen(), accept(), fork(), whatever...
> > -> external code injection from a cracker :
> > mount("none", "..", "ramfs")
> > mkdir("../mydir")
> > chdir("../mydir")
> > the cracker now installs whatever he wants here.
>
> That's a BS. Same effect would be achieved by replacing ".." with ".".
> Or mounting on any existing subdirectory.

No, it works only with "..", and not with "." ! I don't know why, I believe
it's because the process is still attached to the old FS when mounting on ".".

> If attacker can mount of chroot - you've LOST. Already. End of story.

To me, it seems this is the *only* remaining case in an *empty* read-only
directory. The fact is that the attacker needs at least a mount point to mount
something. Not providing him one is efficient, but here he can only exploit
"..".

Please reconsider the question, Al, because I really think that with this, we
can get reliable jails for network daemons which don't need file access at all.

Cheers,
Willy

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: Ricardo Galli: "Re: Dell vs. GPL"
Previous message: Willy TARREAU: "[PATCH-2.4][RESEND] Oops with bonding when enslaving IP-less interface"