Linked by Thom Holwerda on Sun 29th Jan 2006 16:04 UTC, submitted by Falko Timme
Privacy, Security, Encryption "This tutorial describes how to install and configure OpenSSH so that it will allow chrooted sessions for users. With this setup, you can give your users shell access without having to fear that they can see your whole system. Your users will be jailed in a specific directory which they will not be able to break out of."
Permalink for comment 90795
To read all comments associated with this story, please click here.
RE[2]: Great Info
by mikehearn on Mon 30th Jan 2006 10:39 UTC in reply to "RE: Great Info"
mikehearn
Member since:
2005-12-31

You can break out of a chroot if there is any program running as the same user as yourself that is not also jailed. Obviously, if you are root then there will always be a few programs running as root that aren't jailed, so that's trivial. A more subtle case is when you are chrooting the shell but not the SSH daemon instance that is connecting the user to it.

I'll leave it as an exercise for the reader to figure out how you can use an unjailed program running as the same user to break out of the jail ... it requires some sophistication on the part of the attacker but it can be done.

(edit: to be more precise, there needs to be an unjailed process that the user can send signals to - on Linux the rules are slightly different for suid programs so the SSH daemon instance being used to connect is probably not a problem)

Edited 2006-01-30 10:55

Reply Parent Score: 1