Preemptive strategies

Jan Dvorak mordae at
Wed Oct 29 23:43:22 PDT 2008

On Thursday 30 October 2008 00:48:00 Robert Connolly wrote:
> The problem I have with these, and all other chroot tools, is that
> they run the target program inside the chroot, not outside, so it
> doesn't work with an empty chroot. named, ntpd, etc, start as root,
> chroot to an empty directory, then drop root.

Obviously. What you need is either link all binaries you ever want to 
chroot with a specially crafted library (that would read env and perform 
chroot, setuid, whatever...) or such library can be ${LD_PRELOAD}ed.

Other then that, only patching the application seems viable. Or, 
perhaps, we can patch the to perform chroot/setuid based on env 
variables just after it loads all shared objects for the started 

> Can any of you make something usable enough to submit to
> or think this not a wise idea?

I don't think this is reasonable.

And I remembered another way. You can ptrace the target binary, set 
breakpoint at the beginning of main() and once there, inject chroot/sid 
call or whatever you need. _This_is_the_hard_way_.

More information about the hlfs-dev mailing list