Please whitelist cPanel in your adblocker so that you’re able to see our version release promotions, thanks!

The Community Forums

Interact with an entire community of cPanel & WHM users!

jailshell: get out of jail free

Discussion in 'Security' started by tylerl, Nov 4, 2010.

  1. tylerl

    tylerl Active Member

    Dec 11, 2009
    Likes Received:
    Trophy Points:
    This isn't new, nor is it news.

    I recently needed to give jailshell'ed users access to specific root functionality outside the chroot jail on a specific server. The mechanism for breaking out of jail is so trivial that I figured I'd post it here for two reasons.

    First, if you need to be able to grant out-of-jail access on specific setuid-root binaries for jailshell users, here's the solution. And second, if you're considering using jailshell for security reasons, you ought to know how very little protection it actually offers. Also, it's worth pointing out again, there's little sense in creating a chroot jail if you're going to mount proc inside it (therefore providing a route back out).

    The following code, if run as root or as a setuid-root binary, will spawn a regular bash shell outside the jail environment.

    #include <unistd.h>
    #include <stdio.h>
    #include <malloc.h>
    int main(int argc, char* argv[])
    	// clear UID restrictions
    	// jailbreak
    	// exec bash
    	char **argv_out = malloc(sizeof(char*)*2);
    	argv_out[0] = "/bin/bash";
    	argv_out[1] = 0;
    	execvp(argv_out[0], argv_out);
    	// fail
    	perror("Unable to execute command");
    	return 1;
  2. cPanelKenneth

    cPanelKenneth cPanel Development Staff Member

    Apr 7, 2006
    Likes Received:
    Trophy Points:
    cPanel Access Level:
    Root Administrator
    A chroot jail is not a security mechanism.

    If you grant someone root capabilities, don't be surprised when they use the privileges in an unintended way.
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
  3. JeffP.

    JeffP. Well-Known Member

    Sep 28, 2010
    Likes Received:
    Trophy Points:
    Additionally, /proc access isn't required. If you get root in a jailed env, you can just chroot somedir, then chdir .. a few times, chroot ., and exec a shell from there. There are protections against this type of thing, but I just wanted to note that /proc isn't really the deciding factor in breaking out of a jailed env or not.

Share This Page

  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.
    Dismiss Notice