[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: djbdns breaking out of a chroot?

i saw this in my logs
> >   albatross kernel: grsec: Attempted fchdir outside of chroot to root
> >   by (dnscache:29264) UID(105) EUID(105), parent (supervise:24861)
> >   UID(0) EUID(0)

also sprach Karsten M. Self <kmself@ix.netcom.com> [2002.12.15.0936 +0100]:
> Not sure if you ever got a response on this.


> IIRC, recent (current?) Linux Magazine has an article on chroot jails.
> It includes a number of ways in which they can be broken out of, though
> most of these require root access within the chroot itself.

i know about chroots and all the ways to break out of them. i wonder
why djbdns tries to break out of one.

> Putting your chroot jail on a filesystem without dev or suid permissions
> can help limit these exploits further, and is yet another reason for
> creating multiple filesystems and mounting them with permissions
> appropriate, and adequate, but no more than this, for the job at hand.

right. and using grsecurity to further limit them makes breaking out
of chroots almost impossible. yet djbdns tries it, grsecurity
prevents it, and djbdns won't run.

> Chroot is a good tool, but like much else, it's an additional level of
> protection, not a silver bullet.

as everything else in the domain of security.

Please do not CC me! Mutt (www.mutt.org) can handle this automatically.
 .''`.     martin f. krafft <madduck@debian.org>
: :'  :    proud Debian developer, admin, and user
`. `'`
  `-  Debian - when you have better things to do than fixing a system
NOTE: The public PGP keyservers are broken!
Get my key here: http://people.debian.org/~madduck/gpg/330c4a75.asc

Attachment: pgp6BBQbtJv0c.pgp
Description: PGP signature

Reply to: