Firewall Wizards mailing list archives
Re: chroot useful?
From: Anton J Aylward <anton () toronto com>
Date: Mon, 17 Nov 1997 07:03:37 -0500
At 09:29 PM 16/11/97 +0000, Steven M. Bellovin wrote: ## Reply Start ##
As for the other suggestions that you and others have made for locking down a UNIX-flavored system: many of these have the right flavor. All of them involve making complex decisions, such as the resolv.conf dependency mentioned by Marcus. And you might miss something -- there are lots of system calls these days, and the interactions are complex. Or there might be other flaws in the environment passed to the application, such as open file descriptors.
UNIX certainly has grown complex since I first worked on the V6 kernel. I'm not sure a lot of that complexity can be justified other than by the marketing types, but that's a separate issue. My suggestion to go for the syscall table, which Marcus supplied file name info for in another posting, is one way I wold try to address this. We've inherited a mess of spaghetti, in that most of us would never design an OS this involved from the point of view of a functional specification. But we've been grandfathered. At lest when hardening a kernel for a firewall we can broadly say "we don't need that here". A table driven approach, I have found, localizes the decision points and - to some degree - simplifies the maintainability for those who come after. As for passing file descriptors..... how else would I be able to run smap ;-)
I like chroot() for file restrictions because both the concept and the implementation are very simple. Securing an execution environment is far more complex, and hence far harder to get right. At that, I'll note that the original public release of chroot() itself was insecure, and that even today there is still the subtle relationship between working directory and root.
Onionskin. Without a clean sheet I doubt we'd be able to do EVERYTHING in one operation. Thw CWD/ROOTDIR relationship problem can be overcome. The issue to my mind is that no-one thought this thru beforehand, and no spec of the 'side effects' was considered. Yes, you could FORCE a chdir() to the new root, but somewhere, just like closing file descriptors on daemons and moving them off mounted file systems and all that, its the responsibility for the application programmer. Sigh. /anton
## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 421-8182 | constraints and items which do not add Fax: (416) 421-8183 | value." - Dr. Mildred G Pryor, 1995
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Wolfgang Ley (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Aleph One (Nov 17)
- syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)
- Re: syscall wrappers (was Re: chroot useful?) George Ross (Nov 20)
- RE: chroot useful? Y. W. Ko (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 17)
- Re: chroot useful? Darren Reed (Nov 20)
- Firewalling DCOM and brethren David C Niemi (Nov 21)
- Re: Firewalling DCOM and brethren Magossa'nyi A'rpa'd (Nov 21)
- Re: chroot useful? Darren Reed (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 17)
- RE: chroot useful? Joseph Judge (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? Paul McNabb (Nov 17)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Anton J Aylward (Nov 20)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Adam Shostack (Nov 21)
- Re: chroot useful? chuck yerkes (Nov 21)
- Re: chroot useful? Paul McNabb (Nov 20)
- Re: chroot useful? Colin Campbell (Nov 21)
- Small code (was Re: chroot useful?) chuck yerkes (Nov 23)
- Re: chroot useful? Colin Campbell (Nov 21)