chroot zutao zhu 10/30/2009. outline task 1 - 4 hard link ln ab.txt cd.txt
TRANSCRIPT
Chroot
Zutao Zhu
10/30/2009
Outline
• Task 1 - 4
Hard Link
• ln ab.txt cd.txt
Symbolic Link
• ln -s ab.txt cd.txt
File Descriptor
• How does file descriptor be used?– Capability!
• Use chroot() after fopen()– Then fgetc()
chroot and chroot()
• Read chroot command manual page and chroot() function manual page.– http://ss64.com/bash/chroot.html– http://linux.die.net/man/2/chroot
• Think of the following behavior after chroot command and chroot() function
• http://www.kegel.com/crosstool/current/chrootshell.c
How does su work?
• What files does su use when authenticating users?
• http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html
Get out with root privilege
• Get the root privilege within the jail
• Copy a shell to the jail
• Chown the shell to root
• Chmod the shell to be set-uid
• Prepare passwd and shadow files
• Run the program from outside of the jail
Break out of a chroot jail
• Background knowledge– Current working directory– Root directory
• Most implementations of chroot() not changing the working directory of the process to within the directory the process is now chroot()ed in.
Break out of a chroot jail
• Strategy– Open the current working directory – Create a temporary directory in its current working
directory – Change the root directory of the process to the
temporary directory using chroot(). – Perform chdir("..") calls many times to move the
current working directory into the real root directory. – Change the root directory of the process to the
current working directory, the real root directory, using chroot(".")
Kill a process
• The user inside the jail knows the pid of a process running outside of the jail
• chroot(), chdir(), kill(pid, SIGKILL)
Bonus question
• “Using ptrace allows you to set up system call interception and modification at the user level. “, quoted from http://www.linuxjournal.com/article/6100
• http://www.lxhp.in-berlin.de/lhpsysc0.html
How to secure chroot()
• discussion
Reference
• http://www.bpfh.net/simes/computing/chroot-break.html
• http://ss64.com/bash/chroot.html
• http://linux.die.net/man/2/chroot
• http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html