[Rpm-maint] [rpm-software-management/rpm] wrong chroot/fchdir order to break out of chroot? (Issue #1884)

Vladimir Vukicevic notifications at github.com
Wed Jan 26 17:28:10 UTC 2022


I don't believe that's the behaviour of `chroot(".")` -- that can't be an escape, otherwise it would be a trivial chroot escape (not that chroot is all that secure, but it should be secure against this).  Here's a sample program (on Linux):

```
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <fcntl.h>

int main(int argc, char **argv)
{
    char buf[1024];

    getcwd(buf, 1024);
    printf("CWD orig: %s\n", buf);

    if (chdir("/") != 0) {
      perror("chdir");
      exit(1);
    }

    getcwd(buf, 1024);
    printf("CWD 0: %s\n", buf);

    int orig_root = open(".", O_RDONLY | O_DIRECTORY);
    if (orig_root == -1) {
        perror("open 1");
        exit(1);
    }

    if (chroot("/tmp") != 0) {
        perror("chroot");
        exit(1);
    }

    printf("Entered /tmp chroot\n");

    getcwd(buf, 1024);
    printf("CWD 1: %s\n", buf);

    // inside the chroot
    chdir("/");
    int new_root = open(".", O_RDONLY | O_DIRECTORY);
    if (new_root == -1) {
        perror("open 3");
        exit(1);
    }

    chdir(".");

    getcwd(buf, 1024);
    printf("CWD 2: %s\n", buf);

    chroot(".");
    printf("After . chroot\n");
    getcwd(buf, 1024);
    printf("CWD 3: %s\n", buf);

    fchdir(orig_root);
    printf("After fchdir\n");
    getcwd(buf, 1024);
    printf("CWD 4: %s\n", buf);
}
```

This outputs:

```
CWD orig: /home/vladimir/tmp
CWD 0: /
Entered /tmp chroot
CWD 1: (unreachable)/
CWD 2: /
After . chroot
CWD 3: /
After fchdir
CWD 4: (unreachable)/
```

note the last two CWDs-- the `chroot(.)` didn't do anything, because it just changes the root to `.` inside the chroot wd.  After, the working directory after the fchdir (to the actual true root) is still unreachable, meaning we are still inside the chroot; no exit has happened.

If I swap the order of the fchdir and the chroot:

```
CWD orig: /home/vladimir/tmp
CWD 0: /
Entered /tmp chroot
CWD 1: (unreachable)/
CWD 2: /
After fchdir
CWD 4: (unreachable)/
After . chroot
CWD 3: /
```

then I actually break out of the chroot.



-- 
Reply to this email directly or view it on GitHub:
https://github.com/rpm-software-management/rpm/issues/1884#issuecomment-1022424523
You are receiving this because you are subscribed to this thread.

Message ID: <rpm-software-management/rpm/issues/1884/1022424523 at github.com>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.rpm.org/pipermail/rpm-maint/attachments/20220126/08c645f1/attachment.html>


More information about the Rpm-maint mailing list