Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <e6baf7139fd14d0d82ff7be7eacccdca@AcuMS.aculab.com>
Date: Thu, 11 Mar 2021 09:45:43 +0000
From: David Laight <David.Laight@...LAB.COM>
To: "'Eric W. Biederman'" <ebiederm@...ssion.com>,
	Mickaël Salaün <mic@...ikod.net>
CC: Al Viro <viro@...iv.linux.org.uk>, James Morris <jmorris@...ei.org>, Serge
 Hallyn <serge@...lyn.com>, Andy Lutomirski <luto@...capital.net>, Casey
 Schaufler <casey@...aufler-ca.com>, Christian Brauner
	<christian.brauner@...ntu.com>, Christoph Hellwig <hch@....de>, David Howells
	<dhowells@...hat.com>, Dominik Brodowski <linux@...inikbrodowski.net>, "John
 Johansen" <john.johansen@...onical.com>, Kees Cook <keescook@...omium.org>,
	Kentaro Takeda <takedakn@...data.co.jp>, Tetsuo Handa
	<penguin-kernel@...ove.sakura.ne.jp>, "kernel-hardening@...ts.openwall.com"
	<kernel-hardening@...ts.openwall.com>, "linux-fsdevel@...r.kernel.org"
	<linux-fsdevel@...r.kernel.org>, "linux-kernel@...r.kernel.org"
	<linux-kernel@...r.kernel.org>, "linux-security-module@...r.kernel.org"
	<linux-security-module@...r.kernel.org>, Mickaël Salaün
	<mic@...ux.microsoft.com>
Subject: RE: [PATCH v2 1/1] fs: Allow no_new_privs tasks to call chroot(2)

From: Eric W. Biederman
> Sent: 10 March 2021 19:24
...
> The actual classic chroot escape is.
> chdir("/");
> chroot("/somedir");
> chdir("../../../..");

That one is easily checked.

I thought something like:
chroot("/somedir");
chdir("/somepath");

Friendly process:
mvdir("/somedir/some_path", "/bar");

was the actual escape?

	David

-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)

Powered by blists - more mailing lists

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.