Ubuntu
linux package

On trusty I can break out of pivot_root chroot

Bug #1377267 reported by Serge Hallyn
258
This bug affects 1 person
Affects Status Importance Assigned to Milestone
linux (Ubuntu)
Invalid
High
Unassigned

Bug Description

After doing a pivot_root, it should not be possible to use the standard well-known 'chroot escape' technique to escape back to the host root. However, Andrey Vagin found that on 14.04 that is in fact possible, if you first chroot.

In 14.10, this is NOT possible.

I've uploaded testscripts under http://people.canonical.com/~serge/chrootintoslave . Download the cis.* from there into a home directory in a clean vm, make them all executable, and run "./cis.maintest".

I posted a similar set of scripts (just tweaking how the chroot+chdir are done after pivot_root) in http://people.canonical.com/~serge/chrootintoslave.2 - those have the same results on my system.

Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

12.04 fails the same way.

Note again that this is only in the case where we chroot before we pivot_root. This is done in lxc in the case where we find / is on a ramfs, which a special case usually on android systems.

Revision history for this message
Brad Figg (brad-figg) wrote : Missing required logs.

This bug is missing log files that will aid in diagnosing the problem. From a terminal window please run:

apport-collect 1377267

and then change the status of the bug to 'Confirmed'.

If, due to the nature of the issue you have encountered, you are unable to run this command, please add a comment stating that fact and change the bug status to 'Confirmed'.

This change has been made by an automated script, maintained by the Ubuntu Kernel Team.

Changed in linux (Ubuntu):
status: New → Incomplete
tags: added: trusty
Brad Figg (brad-figg)
Changed in linux (Ubuntu):
status: Incomplete → Triaged
Revision history for this message
Joseph Salisbury (jsalisbury) wrote :

Not sure if this should be Private security or Public yet. I'll mark it as Private for now.

Changed in linux (Ubuntu):
importance: Undecided → High
tags: added: kernel-da-key
information type: Public → Private Security
Revision history for this message
Seth Arnold (seth-arnold) wrote :

Joseph, thanks, but there's not much point in making it private once it's been public for two hours.

Thanks

information type: Private Security → Public Security
Revision history for this message
Serge Hallyn (serge-hallyn) wrote :

It would appear this has always been the case, and probably is not a bug. We will work around it in lxc.

I think what is happening is: in pivot_root, the new root is mounted over the struct path of the previous current->fs->root (using attach_mnt). Since current->fs->root after a chroot was not absolute, the chroot escape can still escape. In fact in the example scripts, where we chrooted to /mnt, we can see after the chrootbreak that our new root is under /mnt/root.

Changed in linux (Ubuntu):
status: Triaged → Invalid
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.