Firewall Wizards mailing list archives
Re: Proxy firewall design.
From: mcnabb () argus-systems com (Paul McNabb)
Date: Thu, 12 Mar 1998 16:31:02 -0600
> I hope the ``chroot escape hole'' is fixed (as discussed here a few > weeks ago). The safe assumption is that the superuser can always evade chroot() protection.
I think it is a bit futile to try to isolate a network service by putting its daemon in a chroot box. Not only do you have the bother of setting up and maintaining the box, but you haven't really isolated the daemon. It can still go through other network interfaces that you don't want it to, it can signal processes, set up IPC connections, use the STREAMS/socket interface to talk to other daemons listening, etc. And above all, if there is any superuser/root ability assocated with the chroot box or daemon, the daemon may be able to escape. You can completely and permanently isolate a process using other mechanisms that are designed to isolate a process, namely trusted OSes. Trying to use other mechanisms is like using a saw to hammer a nail. chroot is a great tool, but the wrong one for this job. Use chroot to provide a virtual file system environment, not to isolate and protect a daemon. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Proxy firewall design. Darren Reed (Mar 10)
- Re: Proxy firewall design. Bernhard Schneck (Mar 11)
- Re: Proxy firewall design. tqbf (Mar 12)
- <Possible follow-ups>
- RE: Proxy firewall design. Joseph Judge (Mar 12)
- Re: Proxy firewall design. Paul McNabb (Mar 12)
- Re: Proxy firewall design. Bernhard Schneck (Mar 11)