Re: response to the bugtraq report of buffer overruns in imapd LIST command

[Darren.Moffat () UK SUN COM (Darren Moffat - Solaris Sustaining Engineering)]

> Last but not least, I am very interested in Kris Kennaway's claim that "It
may
> also be possible to break out of the chroot jail on some platforms."  If

It is possible, especially if you have /proc mounted.  It is made even
more likely if you have processes inside and outside of the chroot
environment running under the same uid.

Note that if /proc is mounted it is very difficult, nay impossible in
many systems to contain the root user inside a choot environment.

Other possible escape roots are likely if you are using lofs (loopback
mounts) to bring in outside data into the chroot, for example running
imapd in a choot and the lofs mounting /var/mail into the chroot. Be
very careful about what you bring into the chroot environment.

chroot is NOT a security feature it never was intended as one, however
many people use it as one as it helps to limit the impact of a service
being exploited but do NOT ever rely on not being able to break out of
the chroot.

My general feeling is that if you wouldn't be happy running the service
outside of a choot environment then you shouldn't run it at all.  I'm
not saying don't use choot what I'm saying is don't use it as a excuse
to not fix security bugs.

--
Darren J Moffat