It looks to me that it is possible to escape from a chroot jail with help from outside. Specifically, when someone not inside the chroot moves out the current working directory of someone inside the chroot, the guy inside can use multiple "cd .."'s to finally get to the real root directory. Reproducible: Always Steps to Reproduce: 1. Create a directory called "/new" and copy a Gentoo stage1 tarball inside to make it somewhat usable. Create a directory called "/new.store" 2. Open up two root shells. (Maybe this works with user shells as well, didn't try it.) 3. Do the following commands in shell A: serv0r root # cd / serv0r / # chroot /new /bin/bash serv0r / # cd usr serv0r usr # mkdir escape serv0r usr # cd escape 4. Do the following command in shell B: serv0r root # mv /new/usr/escape /new.store/ 5. Do the following commands in shell A: serv0r escape # ls serv0r escape # pwd /usr/escape serv0r escape # cd .. serv0r new.store # ls escape usr serv0r new.store # pwd /new.store Actual Results: As you can see, the chrooted shell A can now access the directory "/new.store". By using "cd .." again he would be able to change to the real root directory, despite being chrooted to "/new". Expected Results: Either a) Disallow the "mv" of the current working directory of shell A's user or b) Put shell A's user inside "/usr" (which in fact is "/new/usr") after the "cd ..". I've posted this about one or two weeks ago in the forums (http://forums.gentoo.org/viewtopic.php?t=160772), but didn't have time to file a bug report. This has NOT been tested with up-to-date software, but was reproduced by forums moderator tomk, I guess he was using current packages. I was using chroot 5.0 (from coreutils-5.0-r5) and some older kernel (about 2.4.22). Sorry I didn't check the precise kernel version, but I had very little time at that moment.
We can't fix this. What your talking about goes into the fundamental design of the kernel. Note; There are also other ways to abuse a default chroot setup that don't require external forces to help you including iopl, shmat, ptrace, kill, mount, fchdir, AF_UNIX sockets, chmod, mknod. Changing resolution to CANTFIX If you feel that we can fix this somehow then please attach a patch and reopen.