Contents: Securing Network ServicesProxiesSpecific Examples


About this document

3. Breaking Out of and Securing chroot Jails

It is not difficult to break out of a chroot jail if it is carelessly setup --- especially if an intruder can get root privileges within the jail.

3.1. Breaking Out Using chroot() and chdir()

It is possible to break out of a chroot jail given root privileges --- at least on Linux and Solaris, and any other "unix" whose chroot() system call works the same, or a similar, way: on most unices, the location of the process's root is stored within its entry in the process table --- chroot() simply changes this. Hence, in principle, one simply needs to make a sequence of system-calls to chroot() or perhaps chdir() to break out.

(The above procedure will not work on suitably configured FreeBSD v4 and above, or, for example, GRSecurity-patched Linux.)

To break out of a chroot jail an intruder will need:

  1. Access to the chroot jail through a security hole in, e.g., a daemon/service running from the jail: remember to patch the contents of the jail as well as the OS outside; audit those CGI scripts...

  2. root-privilege escalation by some means — beware of setuid root executables and scripts;

  3. ability to upload, or build and run, an executable similar to this.

3.2. Breaking Out Using Other Methods

 -- chroot-breaking buffer overflows

If it is possible to create device nodes within the chroot jail then a break out is possible by creating your own /dev/hda (or other disk node) or /dev/kmem --- in the latter case it is possible to patch the kernel as it is running and then anything is possible. (Root privilege is required.)

3.3. Make Use of chattr

To help prevent upload or build of a "break out" binary (see above) or creation of a new device, use chattr to make the jail immutable.)

3.4. Influence from Within the Jail

Even from within the jail, some influence can be brought to bear, for example:

3.5. Making chroot Jails More Secure

Quoting from Chuvakin's article (see below):

...if there is no root user defined within the chroot environment, no SUID binaries, no devices, and the daemon itself dropped root privileges right after calling chroot() call (like in the code below), breaking out of chroot appears to be impossible.

So, while there is no such thing as a perfectly secure chroot jail, good policy would appear to be:

(Until recently it was possible to run binaries on a noexec-mounted partition on Linux using a command like /lib/ld*.so <executable>. This trick fails since Linux 2.4.25/2.6.0.)

3.6. More

Docs -- Securing chroot jails and breaking out of them:

 -- How to break out of a chroot() jail
    Published on May 12, 2002 - by Simes, ©Simes.
     -- http://www.bpfh.net/simes/computing/chroot-break.html

 -- Using Chroot Securely
    Published on October 02, 2002 - by Anton Chuvakin, ©Guardian Digital, 

 -- Runtime Kernel Kmem Patching, Silvio Cesare
     -- http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt

 -- Linux on-the-fly kernel patching without LKM, from Phrack Inc, at 
     -- http://www.phrack.org/phrack/58/p58-0x07


...previousup (conts)next...