mirror of https://github.com/mkerrisk/man-pages
chroot.2: Minor fixes
Signed-off-by: Michael Kerrisk <mtk.manpages@gmail.com>
This commit is contained in:
parent
3c4dfb62a5
commit
ba9aa794c8
|
@ -73,27 +73,29 @@ capability) may call
|
|||
.BR chroot ().
|
||||
|
||||
This call changes an ingredient in the pathname resolution process
|
||||
and does nothing else. In particular, it is not intended to be used
|
||||
and does nothing else.
|
||||
In particular, it is not intended to be used
|
||||
for any kind of security purpose, neither to fully sandbox a process nor
|
||||
to restrict filesystem syscalls. In the past,
|
||||
to restrict filesystem system calls.
|
||||
In the past,
|
||||
.BR chroot ()
|
||||
has been used by daemons to restrict themselves prior to passing paths
|
||||
supplied by untrusted users into syscalls like
|
||||
supplied by untrusted users to system calls such as
|
||||
.BR open (2).
|
||||
However, if a folder is moved out of the chroot directory, an attacker
|
||||
can exploit that to get out of the chroot directory as well. The easiest
|
||||
way to do that is to
|
||||
can exploit that to get out of the chroot directory as well.
|
||||
The easiest way to do that is to
|
||||
.BR chdir (2)
|
||||
to the to-be-moved directory, wait for it to be moved out, then open a
|
||||
path like ../../../etc/passwd.
|
||||
|
||||
|
||||
.\" This is how the "slightly trickier variation" works:
|
||||
.\" https://github.com/QubesOS/qubes-secpack/blob/master/QSBs/qsb-014-2015.txt#L142
|
||||
A slightly
|
||||
trickier variation also works under some circumstances if
|
||||
.BR chdir (2)
|
||||
is not permitted. If a daemon allows a "chroot directory" to be specified,
|
||||
is not permitted.
|
||||
If a daemon allows a "chroot directory" to be specified,
|
||||
that usually means that if you want to prevent remote users from accessing
|
||||
files outside the chroot directory, you must ensure that folders are never
|
||||
moved out of it.
|
||||
|
|
Loading…
Reference in New Issue