It looks to me that it is possible to escape from a chroot jail with help from outside. Specifically, when someone not inside the chroot moves out the current working directory of someone inside the chroot, the guy inside can use multiple "cd .."'s to finally get to the real root directory.
Steps to Reproduce:
1. Create a directory called "/new" and copy a Gentoo stage1 tarball inside to make it somewhat usable. Create a directory called "/new.store"
2. Open up two root shells. (Maybe this works with user shells as well, didn't try it.)
3. Do the following commands in shell A:
serv0r root # cd /
serv0r / # chroot /new /bin/bash
serv0r / # cd usr
serv0r usr # mkdir escape
serv0r usr # cd escape
4. Do the following command in shell B:
serv0r root # mv /new/usr/escape /new.store/
5. Do the following commands in shell A:
serv0r escape # ls
serv0r escape # pwd
serv0r escape # cd ..
serv0r new.store # ls
serv0r new.store # pwd
As you can see, the chrooted shell A can now access the directory
"/new.store". By using "cd .." again he would be able to change to the real
root directory, despite being chrooted to "/new".
a) Disallow the "mv" of the current working directory of shell A's user or
b) Put shell A's user inside "/usr" (which in fact is "/new/usr") after the
I've posted this about one or two weeks ago in the forums
(http://forums.gentoo.org/viewtopic.php?t=160772), but didn't have time to
file a bug report.
This has NOT been tested with up-to-date software, but was reproduced by
forums moderator tomk, I guess he was using current packages.
I was using chroot 5.0 (from coreutils-5.0-r5) and some older kernel (about
2.4.22). Sorry I didn't check the precise kernel version, but I had very
little time at that moment.
We can't fix this.
What your talking about goes into the fundamental design of the kernel.
Note; There are also other ways to abuse a default chroot setup that don't require
external forces to help you including iopl, shmat, ptrace, kill, mount, fchdir,
AF_UNIX sockets, chmod, mknod.
Changing resolution to CANTFIX
If you feel that we can fix this somehow then please attach a patch and reopen.