It is not difficult to break out of a chroot jail if it is carelessly setup --- especially if an intruder can get root privileges within the jail.
It is possible to break out of a chroot jail given root privileges --- at least on Linux and Solaris, and any other "unix" whose chroot() system call works the same, or a similar, way: on most unices, the location of the process's root is stored within its entry in the process table --- chroot() simply changes this. Hence, in principle, one simply needs to make a sequence of system-calls to chroot() or perhaps chdir() to break out.
(The above procedure will not work on suitably configured FreeBSD v4 and
above, or, for example,
To break out of a chroot jail an intruder will need:
-- chroot-breaking buffer overflows
If it is possible to create device nodes within the chroot jail then a break out is possible by creating your own /dev/hda (or other disk node) or /dev/kmem --- in the latter case it is possible to patch the kernel as it is running and then anything is possible. (Root privilege is required.)
To help prevent upload or build of a "break out" binary (see above) or creation of a new device, use chattr to make the jail immutable.)
Even from within the jail, some influence can be brought to bear, for example:
Quoting from Chuvakin's article (see below):
...if there is no root user defined within the chroot environment, no SUID binaries, no devices, and the daemon itself dropped root privileges right after calling chroot() call (like in the code below), breaking out of chroot appears to be impossible.
So, while there is no such thing as a perfectly secure chroot jail, good policy would appear to be:
Docs -- Securing chroot jails and breaking out of them:
-- How to break out of a chroot() jail Published on May 12, 2002 - by Simes, ©Simes. -- http://www.bpfh.net/simes/computing/chroot-break.html -- Using Chroot Securely Published on October 02, 2002 - by Anton Chuvakin, ©Guardian Digital, -- Runtime Kernel Kmem Patching, Silvio Cesare -- http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt -- Linux on-the-fly kernel patching without LKM, from Phrack Inc, at -- http://www.phrack.org/phrack/58/p58-0x07