On Fri, Jan 05, 2018 at 09:42:18PM +1030, David Newall wrote: > On 05/01/18 20:06, Jakub Jelen wrote: > > if the confined user has write access to the chroot directory, > > there are ways how to get out, gain privileges and or do other > > nasty things. > > I'm not inexperienced with UNIX and unix-like operating systems (30+ years), > and I can't think what these ways are. Although clearly off-topic, I wonder > if you could expound on this? The attack involves being able to create hard links inside the chroot referring to setuid programs outside the chroot. If you can do that then you can e.g. make a hard link to the external /bin/su, construct your own /etc/passwd and so on, and thereby gain root inside the chroot. Chroots are easily escapable by root (e.g. https://filippo.io/escaping-a-chroot-jail-slash-1/). The particular case Jakub is referring to is: https://bugzilla.redhat.com/show_bug.cgi?id=522141 https://lists.mindrot.org/pipermail/openssh-unix-dev/2008-November/026981.html has some recommendations for making the default directory that users start in be writable in a less dangerous way. -- Colin Watson [cjwatson@xxxxxxxxxx] _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev