Firewall Wizards mailing list archives
Re: chroot useful?
From: chuck+fwwiz () yerkes com
Date: Mon, 10 Nov 1997 11:56:01 -0500 (EST)
It is claimed, but unverified, that Claudio Telmon wrote:
I always had some doubts about the real protection that a chrooted environment can give. As you know, there is a lot of things that can be done in this environment, supposing you can bring some binaries in it: connect to other ports using the loopback interface, connect to internal hosts etc.
[...]
My questions are: 1) Did I miss something so that my test is meaningless?
[...] Well, I'd guess yes. Why would you be able to mount things in a chroot environment? Moreoever how? Why would you remotely be able to bring over binaries? I guess my view is "bolt it down AND chroot it" - chroot alone is not enough. Or maybe we use chrooted areas differently. I usually use a readonly area for chroot and I run specific programs (daemons) in it - an http proxy, the rc5 cracking client, etc. Certainly not interactive jobs, usually with no RW area. When you have interactive stuff, you generally pull over so many binaries that you lose your chroot security - unless that interactive area is menu controlled or something and tightly controlled. When I'm really paranoid, I use a disk that's pinned readonly (finally, a use for those 105M quantums or that old 80 meg Mac drive!). When I need a R/W area, I have a R/O disk partition with the binaries and a DATA area mounted NOSUID. My WWW servers run like this as do POP and FTP - it keeps them out of trouble. In general on "security conscious" machines, I keep /usr and /usr/local partitions RO and everything that's read/write mounted NOSUID (/var, /, /home and so forth). In practice, this mostly helps limit mistakes by SA's and it forces a reboot to get it RO again - reboots are obvious to detect. (Been thinking of whacking at OpenBSD to get RO root areas - or perhaps booting into RAM from a CD, hmmm - a 256+ Meg machine, and I've gotten BSDI down to 50 meg installs... maybe some swap -- hmmmm, but I digress) chuck ---------------------------------------------- chuck () yerkes com consultant guy
Current thread:
- chroot useful? Claudio Telmon (Nov 08)
- Re: chroot useful? Darren Reed (Nov 09)
- Re: chroot useful? Claudio Telmon (Nov 09)
- Re: chroot useful? Joseph S. D. Yao (Nov 10)
- Re: chroot useful? Andreas Siegert (Nov 12)
- Re: chroot useful? chuck+fwwiz (Nov 10)
- <Possible follow-ups>
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Steven M. Bellovin (Nov 13)
- Re: chroot useful? C Matthew Curtin (Nov 21)
- Re: chroot useful? Steven M. Bellovin (Nov 13)
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Douglas R. Steinbaum (Nov 13)
- Re: chroot useful? Darren Reed (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 14)
- Re: chroot useful? Aleph One (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 15)
- Re: chroot useful? Bernhard Schneck (Nov 14)
- Re: chroot useful? Darren Reed (Nov 09)