[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

RE: chroot (was Re: Need Help with the Debian Securing Manual (contributions accepted))

thx for the info but for some reason I'm receiving http error 403.
I guess/hope they took it down.
however, all the other mauals are available :


-----Oorspronkelijk bericht-----
Van: Blars Blarson [mailto:blarson@blars.org]
Verzonden: maandag 1 oktober 2001 10:04
Aan: jfs@computer.org; debian-security@lists.debian.org
CC: blarson@blars.org
Onderwerp: chroot (was Re: Need Help with the Debian Securing Manual
(contributions accepted))

In article <20010924032741.B15557@dat.etsit.upm.es> jfs@computer.org writes:
>	I am not sure everybody is aware of the "Securing Debian Manual"
>which can be found at
>http://www.debian.org/doc/manuals/securing-debian-howto/. In any case, I'm
>asking for some help with this document due to the current overload of
>information I'm suffering.

One major problem I've noticed is it seems to perpetuate common
misconseptions about chroot.  If you have root access in a chroot
enviornment, it's quite possible to break out and take over the whole
system.  (I've know of two ways off the top of my head, I'm sure there
are others.) Giving untrusted code root access in a chroot enviornment
is security by obscurity -- worthless against a determined attacker
and the people setting it up are deluding themselves that their system
are protected.

(Perhaps you should consider a section on "security by obscurity" and
why it is useless.)

Running non-root in a chroot enviornment does add a level of
protection.  (You can't access world-readable files.)

Chroot was designed as a software testing tool, not a security tool.

Blars Blarson 					blarson@blars.org
"Text is a way we cheat time." -- Patrick Nielsen Hayden

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact

Reply to: