Re: chroot useful?

[mcnabb () argus-systems com (Paul McNabb)]

>  Date: Fri, 14 Nov 1997 02:54:59 +0000
>  From: "Steven M. Bellovin" <smb () research att com>
>
>  >That is, chroot could be run to define the root point such that critical 
>  >files are inaccessible, and then the untrusted application would 
>  >subsequently be launched.  Is this not correct?
>  
>  That was precisely my point -- that this opinion is not correct.  There
>  are numerous ways for root to break out of a chroot() "jail"; the simplest
>  is to do mknod() to create new special device files for the real disks, and
>  mount new file systems on those devices.  Many other variants are possible
>  as well.

Unless, again, your system allows you to prevent root from doing a mknod().
The use of capabilities and/or privileges can get around these mechanisms
that make chroot less secure.  On Decaf'ed systems, processes running in
capability mode can't make the mknod() system call, even if the uid is 0.

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------