I have a directory /var/mychoot
on the same filesystem as /
, and I've started the program /var/mychroot/prog
as sudo chroot /var/mychroot /prog
, so the program is running as EUID 0.
If the program executes the chdir("..") escape technique, then it is able to escape the chroot and see everything within /
. (I've verified this on Linux 4.18.)
I want to prevent such an escape. In fact I want to prevent all kinds of chroot escapes, but in this question I'm only interested in how the chdir("..") escape technique can be prevented on modern Linux systems. For this I'm looking for alternatives of the chroot(2) system call.
I've found 2 solutions: pivot_root and MS_MOVE, but they only work if /var/mychroot
is a mount point, so they fail if /var/mychroot
is just a subdirectory within the /
filesystem. Is there another solution in this case?
I want to avoid techniques using LD_PRELOAD
(because LD_PRELOAD
doesn't affect statically linked executables), techniques using ptrace(2) (because then I'm not able to run strace
within the chroot, and also ptrace(2) is very tricky to get right: processes will crash or hang) and real virtualization (e.g. Xen or KVM or QEMU; because of the performance overhead and the less flexible memory provisioning).
To recap, I need:
- an alternative of chroot(2) system call,
- with which root can restrict processes running as root (EUID 0),
- to a subdirectory of the filesystem of
/
, - which prevents the chdir("..") escape technique,
- and doesn't use
LD_PRELOAD
or - ptrace(2) or
- virtualization (e.g. Xen, KVM or QEMU),
- and it runs on a modern Linux system,
- with and unpatched kernel.
Does it exist?
apt-get install UNTRUSTED-PACKAGE
is run, where the the install script of the package can contain malicious code. A similar use case isdocker run UNTRUSTED-IMAGE
, the default commands of such packages run as root. Docker is not using chroot for filesystem isolation, and I'm also interested in understanding what would break if it did, and how it could be fixed. – pts Jan 05 '19 at 02:29