nchip ([info]nchip) wrote,
@ 2006-07-25 22:45:00
Previous Entry  Add to memories!  Tell a Friend!  Next Entry
Dear lazyweb..
Relatively simple task - given a pid, find out if it is in the same chroot as you. Until now we simply used the following code, which would error out if the given pid was not in chroot like us:

readlink /proc/$pid/root

All good things end up eventually, this time with the soon to come out 2.6.18 Linux kernel release. A recent commit changes the permissions of symlinks in /proc, (not only /proc/$pid/fd like it would seem from the commit message). Using ptrace as security policy is not a bad idea. If you can access the information via ptrace, hiding it from /proc made little sense. Which leads to the scary observation that one can ptrace any process with same UID outside your chroot sandbox. This is not a security bug, since one can escape chroot anyway. I just hadn't realized *HOW* easy it was.

Back to the topic, using /proc/$pid/root was not a standard or even documented interface, so I can hardly complain. I'm still left without a proper replacement:

So what AM I supposed to use?

(Post a new comment)


[info]heviosso
2006-07-25 09:24 pm UTC (link)
First thing to come to mind: how about traversing the pid tree downwards up from your process' pid. Either you hit the pid of a process which is known to be in the same chroot (say, the process that called chroot()) or you hit 1. This, however, won't work in case of a daemon or whatever else reparented to 'init'.

(Reply to this)

(Anonymous)
2006-07-26 12:04 am UTC (link)
Ask on LKML.

(Reply to this)

[info]womble2
2006-07-26 10:33 am UTC (link)
Let's take a step back. What are you trying to do that appears to need that information?

(Reply to this)(Thread)

[info]nchip
2006-07-26 03:06 pm UTC (link)
Simply list users what processess they have still running in their chroot. And if asked kill them all.

(Reply to this)(Parent)(Thread)

(Anonymous)
2006-07-26 10:19 pm UTC (link)
So user x wants to know what processes user x has running in which chroot.

So given your observation that "one can ptrace any process with same UID outside your chroot sandbox" you should be able to look at /proc/$PID/root for any process with the same UID, even outside your chroot sandbox. Thus, all you need to do is catch errors trying to lstat /proc/$PID/root and assume that the process that caused them doesn't belong to you.

--Ken Bloom
(who really should get a livejournal account)

(Reply to this)(Parent)

[info]womble2
2006-07-27 09:41 am UTC (link)
And you have to do that from inside the chroot?

(Reply to this)(Parent)

Create an Account
Forgot your login?
Login w/ OpenID
English • Español • Deutsch • Русский…