First page Back Continue Last page Summary Graphics
How to break out of chroot
Assume black hat has broken out of UML
needs tools
- has UML binary and root filesystem
copies tools out of filesystem or ftp them
- make chroot directory non-writeable
- can't create new files
Notes:
There are further things that can be done to tighten up a chroot jail. Let us assume that a black hat has found a way of breaking out of UML and also has a way of breaking out of a chroot jail as a normal user. Let us assume that he has complete control of the UML.
To break out of the chroot jail, he will presumably need some tools. The only files available in the jail are the UML binary and the filesystem. Presumably, these are not directly usable, so he will have to import them somehow.
This leads to our first requirement - that the chroot directory be non-writeable by the uid running UML. This prevents any new files from being created.