File manipulation after chroot() without chdir("/")

Path-related vulnerabilities for file manipulated after call to chroot

expand all in page

Description

This defect occurs when you have access to a file system outside of the jail created by chroot. By calling chroot, you create a file system jail that confines access to a specific file subsystem. However, this jail is ineffective if you do not call chdir("/").

Risk

If you do not call chdir("/") after creating a chroot jail, file manipulation functions that takes a path as an argument can access files outside of the jail. An attacker can still manipulate files outside the subsystem that you specified, making the chroot jail ineffective.

Fix

After calling chroot, call chdir("/") to make your chroot jail more secure.

Examples

expand all

#include <unistd.h>
#include <stdio.h>

const char root_path[] = "/var/ftproot";
const char log_path[] = "file.log";
FILE* chrootmisuse() {
    FILE* res;
    chroot(root_path);
    chdir("base"); 
    res = fopen(log_path, "r"); 
    return res;
}

This example uses chroot to create a chroot-jail. However, to use the chroot jail securely, you must call chdir("\") afterward. This example calls chdir("base"), which is not equivalent. Bug Finder also flags fopen because fopen opens a file in the vulnerable chroot-jail.

Correction — Call chdir("/")

Before opening files, call chdir("/").

#include <unistd.h>
#include <stdio.h>

const char root_path[] = "/var/ftproot";
const char log_path[] = "file.log";
FILE* chrootmisuse() {
    FILE* res;
    chroot(root_path);
    chdir("/");    
    res = fopen(log_path, "r");
    return res;
}

Result Information

Group: Security
Language: C | C++
Default: Off
Command-Line Syntax: CHROOT_MISUSE
Impact: Medium
CWE ID: 243, 922

See Also

| |

Topics

Introduced in R2015b

Polyspace Bug Finder Documentation

Support