unescapeable chroot; thanks to nirva and asriel for helping

2 files changed, 17 insertions, 3 deletions

diff --git a/lib/libc/sys/chroot.2 b/lib/libc/sys/chroot.2
index 74c64ee4b49..0b66b680706 100644
--- a/lib/libc/sys/chroot.2
+++ b/lib/libc/sys/chroot.2
@@ -57,10 +57,16 @@ beginning with
 In order for a directory to become the root directory
 a process must have execute (search) access for that directory.
 .Pp
-It should be noted that
+If the program is not currently running with an altered root directory,
+it should be noted that
 .Fn chroot
 has no effect on the process's current directory.
 .Pp
+If the program is already running with an altered root directory, the
+process's current directory is changed to the same new root directory.
+This prevents the current directory from being further up the directory
+tree than the altered root directory.
+.Pp
 This call is restricted to the super-user.
 .Sh RETURN VALUES
 Upon successful completion, a value of 0 is returned.  Otherwise,
diff --git a/sys/kern/vfs_syscalls.c b/sys/kern/vfs_syscalls.c
index 36e7dddcd48..518dd912abf 100644
--- a/sys/kern/vfs_syscalls.c
+++ b/sys/kern/vfs_syscalls.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: vfs_syscalls.c,v 1.12 1996/08/08 06:36:47 tholo Exp $	*/
+/*	$OpenBSD: vfs_syscalls.c,v 1.13 1996/09/24 02:38:30 deraadt Exp $	*/
 /*	$NetBSD: vfs_syscalls.c,v 1.71 1996/04/23 10:29:02 mycroft Exp $	*/
 
 /*
@@ -701,8 +701,16 @@ sys_chroot(p, v, retval)
 	    SCARG(uap, path), p);
 	if ((error = change_dir(&nd, p)) != 0)
 		return (error);
-	if (fdp->fd_rdir != NULL)
+	if (fdp->fd_rdir != NULL) {
+		/*
+		 * A chroot() done inside a changed root environment does
+		 * an automatic chdir to avoid the out-of-tree experience.
+		 */
 		vrele(fdp->fd_rdir);
+		vrele(fdp->fd_cdir);
+		VREF(nd.ni_vp);
+		fdp->fd_cdir = nd.ni_vp;
+	}
 	fdp->fd_rdir = nd.ni_vp;
 	return (0);
 }