Re: djbdns breaking out of a chroot?
on Fri, Nov 29, 2002 at 11:19:04AM +0100, martin f krafft (firstname.lastname@example.org) wrote:
> just found this in my logs, after installing djbdns via
> djbdns-installer (FHS) and starting it through svscan.
> albatross kernel: grsec: Attempted fchdir outside of chroot to root
> by (dnscache:29264) UID(105) EUID(105), parent (supervise:24861)
> UID(0) EUID(0)
> what is it doing? i don't know much about djbdns yet, so maybe you can
> shine a light on that...
Not sure if you ever got a response on this.
IIRC, recent (current?) Linux Magazine has an article on chroot jails.
It includes a number of ways in which they can be broken out of, though
most of these require root access within the chroot itself.
Putting your chroot jail on a filesystem without dev or suid permissions
can help limit these exploits further, and is yet another reason for
creating multiple filesystems and mounting them with permissions
appropriate, and adequate, but no more than this, for the job at hand.
Chroot is a good tool, but like much else, it's an additional level of
protection, not a silver bullet.
Karsten M. Self <email@example.com> http://kmself.home.netcom.com/
What Part of "Gestalt" don't you understand?
Geek for hire: http://kmself.home.netcom.com/resume.html