[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chroot

On Mon, Oct 01, 2001 at 01:03:44AM -0700, Blars Blarson wrote:
> In article <20010924032741.B15557@dat.etsit.upm.es> jfs@computer.org writes:
> >	I am not sure everybody is aware of the "Securing Debian Manual"
> >which can be found at
> >http://www.debian.org/doc/manuals/securing-debian-howto/. In any case, I'm
> >asking for some help with this document due to the current overload of
> >information I'm suffering.
> One major problem I've noticed is it seems to perpetuate common
> misconseptions about chroot.  If you have root access in a chroot
> enviornment, it's quite possible to break out and take over the whole
> system.  (I've know of two ways off the top of my head, I'm sure there
> are others.) Giving untrusted code root access in a chroot enviornment
> is security by obscurity -- worthless against a determined attacker
> and the people setting it up are deluding themselves that their system
> are protected. 

 Yep, you can load modules, and you can run mknod(2) to make your own
/dev/hda, among other things.  These are blockable by removing capabilities,
though.  (At least, the modules attack is.)

> (Perhaps you should consider a section on "security by obscurity" and
> why it is useless.)

 Obscurity is not useless.  It is no good as your only defence, but combined
with solid security, obscurity makes an attackers job harder and more time
consuming.  If nothing else, it may well give you more time to see stuff
going on in the logs before the attacker breaks into anything where they can
do damage.

> Running non-root in a chroot enviornment does add a level of
> protection.  (You can't access world-readable files.)

 Also, you can't execute setuid binaries that aren't in the chroot, which
may have security problems with exploits known only to certain black-hats.

#define X(x,y) x##y
Peter Cordes ;  e-mail: X(peter@llama.nslug. , ns.ca)

"The gods confound the man who first found out how to distinguish the hours!
 Confound him, too, who in this place set up a sundial, to cut and hack
 my day so wretchedly into small pieces!" -- Plautus, 200 BCE

Reply to: