Firewall Wizards mailing list archives

Re: chroot useful?

From: Anton J Aylward <anton () toronto com>
Date: Mon, 17 Nov 1997 07:03:37 -0500

At 09:29 PM 16/11/97 +0000, Steven M. Bellovin wrote:
## Reply Start ##

As for the other suggestions that you and others have made for locking down
a UNIX-flavored system:  many of these have the right flavor.  All of them
involve making complex decisions, such as the resolv.conf dependency
mentioned by Marcus.  And you might miss something -- there are lots of
system calls these days, and the interactions are complex.  Or there might
be other flaws in the environment passed to the application, such as open
file descriptors.


UNIX certainly has grown complex since I first worked on the V6 kernel.
I'm not sure a lot of that complexity can be justified other than by
the marketing types, but that's a separate issue.

My suggestion to go for the syscall table, which Marcus supplied 
file name info for in another posting, is one way I wold try 
to address this.   We've inherited a mess of spaghetti, in that 
most of us would never design an OS this involved from the point
of view of a functional specification.  But we've been grandfathered.
At lest when hardening a kernel for a firewall we can broadly say
"we don't need that here".

A table driven approach, I have found, localizes the decision points
and - to some degree - simplifies the maintainability for those who
come after.

As for passing file descriptors..... how else would I be able to
run smap ;-)

I like chroot() for file restrictions because both the concept and the
implementation are very simple.  Securing an execution environment is far
more complex, and hence far harder to get right.  At that, I'll note that
the original public release of chroot() itself was insecure, and that even
today there is still the subtle relationship between working directory and
root.


Onionskin.
Without a clean sheet I doubt we'd be able to do EVERYTHING in one
operation.

Thw CWD/ROOTDIR relationship problem can be overcome.  The issue 
to my mind is that no-one thought this thru beforehand, and no spec 
of the 'side effects' was considered.   Yes, you could FORCE a chdir()
to the new root, but somewhere, just like closing file descriptors
on daemons and moving them off mounted file systems and all that,
its the responsibility for the application programmer.   Sigh.

/anton

## Reply End ##
--------------------------------------------------------------------------
Anton J Aylward                  | "Quality refers to the extent to which 
The Strahn & Strachan Group Inc  | processes, products, services, and 
Information Security Consultants | relationships are free from defects, 
Voice: (416) 421-8182            | constraints and items which do not add
  Fax: (416) 421-8183            | value." - Dr. Mildred G Pryor, 1995

Current thread:

Re: chroot useful?, (continued)
- - Re: chroot useful? Wolfgang Ley (Nov 16)
  - Re: chroot useful? Darren Reed (Nov 16)
    - Re: chroot useful? Aleph One (Nov 17)
  - syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)
    - Re: syscall wrappers (was Re: chroot useful?) George Ross (Nov 20)
- RE: chroot useful? Y. W. Ko (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 17)
  - Re: chroot useful? Darren Reed (Nov 20)
    - Firewalling DCOM and brethren David C Niemi (Nov 21)
    - Re: Firewalling DCOM and brethren Magossa'nyi A'rpa'd (Nov 21)
- Re: chroot useful? Anton J Aylward (Nov 17)
- RE: chroot useful? Joseph Judge (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
  - Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 20)
  - Re: chroot useful? chuck yerkes (Nov 21)
    - Re: chroot useful? Adam Shostack (Nov 21)
- Re: chroot useful? Paul McNabb (Nov 20)
  - Re: chroot useful? Colin Campbell (Nov 21)
    - Small code (was Re: chroot useful?) chuck yerkes (Nov 23)

(Thread continues...)