Chroot
Download
1 / 14

Chroot - PowerPoint PPT Presentation


  • 114 Views
  • Uploaded on

Chroot. Zutao Zhu 10/30/2009. Outline. Task 1 - 4. Hard Link. ln ab.txt cd.txt. Symbolic Link. ln -s ab.txt cd.txt. File Descriptor. How does file descriptor be used? Capability! Use chroot() after fopen() Then fgetc(). chroot and chroot().

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' Chroot' - tambre


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Chroot

Chroot

Zutao Zhu

10/30/2009


Outline
Outline

  • Task 1 - 4


Hard link
Hard Link

  • ln ab.txt cd.txt


Symbolic link
Symbolic Link

  • ln -s ab.txt cd.txt


File descriptor
File Descriptor

  • How does file descriptor be used?

    • Capability!

  • Use chroot() after fopen()

    • Then fgetc()


Chroot and chroot
chroot and chroot()

  • Read chroot command manual page and chroot() function manual page.

    • http://ss64.com/bash/chroot.html

    • http://linux.die.net/man/2/chroot

  • Think of the following behavior after chroot command and chroot() function

  • http://www.kegel.com/crosstool/current/chrootshell.c


How does su work
How does su work?

  • What files does su use when authenticating users?

  • http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html


Get out with root privilege
Get out with root privilege

  • Get the root privilege within the jail

  • Copy a shell to the jail

  • Chown the shell to root

  • Chmod the shell to be set-uid

  • Prepare passwd and shadow files

  • Run the program from outside of the jail


Break out of a chroot jail
Break out of a chroot jail

  • Background knowledge

    • Current working directory

    • Root directory

  • Most implementations of chroot() not changing the working directory of the process to within the directory the process is now chroot()ed in.


Break out of a chroot jail1
Break out of a chroot jail

  • Strategy

    • Open the current working directory

    • Create a temporary directory in its current working directory

    • Change the root directory of the process to the temporary directory using chroot().

    • Perform chdir("..") calls many times to move the current working directory into the real root directory.

    • Change the root directory of the process to the current working directory, the real root directory, using chroot(".")


Kill a process
Kill a process

  • The user inside the jail knows the pid of a process running outside of the jail

  • chroot(), chdir(), kill(pid, SIGKILL)


Bonus question
Bonus question

  • “Using ptrace allows you to set up system call interception and modification at the user level. “, quoted from http://www.linuxjournal.com/article/6100

  • http://www.lxhp.in-berlin.de/lhpsysc0.html



Reference
Reference

  • http://www.bpfh.net/simes/computing/chroot-break.html

  • http://ss64.com/bash/chroot.html

  • http://linux.die.net/man/2/chroot

  • http://www.linuxdocs.org/HOWTOs/User-Authentication-HOWTO/x101.html


ad