1 / 14

Chroot

Chroot. Zutao Zhu 10/30/2009. Outline. Task 1 - 4. Hard Link. ln ab.txt cd.txt. Symbolic Link. ln -s ab.txt cd.txt. File Descriptor. How does file descriptor be used? Capability! Use chroot() after fopen() Then fgetc(). chroot and chroot().

tambre
Download Presentation

Chroot

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chroot Zutao Zhu 10/30/2009

  2. Outline • Task 1 - 4

  3. Hard Link • ln ab.txt cd.txt

  4. Symbolic Link • ln -s ab.txt cd.txt

  5. File Descriptor • How does file descriptor be used? • Capability! • Use chroot() after fopen() • Then fgetc()

  6. chroot and chroot() • Read chroot command manual page and chroot() function manual page. • http://ss64.com/bash/chroot.html • http://linux.die.net/man/2/chroot • Think of the following behavior after chroot command and chroot() function • http://www.kegel.com/crosstool/current/chrootshell.c

  7. How does su work? • What files does su use when authenticating users? • http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html

  8. Get out with root privilege • Get the root privilege within the jail • Copy a shell to the jail • Chown the shell to root • Chmod the shell to be set-uid • Prepare passwd and shadow files • Run the program from outside of the jail

  9. Break out of a chroot jail • Background knowledge • Current working directory • Root directory • Most implementations of chroot() not changing the working directory of the process to within the directory the process is now chroot()ed in.

  10. Break out of a chroot jail • Strategy • Open the current working directory • Create a temporary directory in its current working directory • Change the root directory of the process to the temporary directory using chroot(). • Perform chdir("..") calls many times to move the current working directory into the real root directory. • Change the root directory of the process to the current working directory, the real root directory, using chroot(".")

  11. Kill a process • The user inside the jail knows the pid of a process running outside of the jail • chroot(), chdir(), kill(pid, SIGKILL)

  12. Bonus question • “Using ptrace allows you to set up system call interception and modification at the user level. “, quoted from http://www.linuxjournal.com/article/6100 • http://www.lxhp.in-berlin.de/lhpsysc0.html

  13. How to secure chroot() • discussion

  14. Reference • http://www.bpfh.net/simes/computing/chroot-break.html • http://ss64.com/bash/chroot.html • http://linux.die.net/man/2/chroot • http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html

More Related