Firewall Wizards mailing list archives
Re: chroot useful?
From: mcnabb () argus-systems com (Paul McNabb)
Date: Tue, 11 Nov 1997 09:34:10 -0600
From: Darren Reed <darrenr () cyber com au> > 4) I didn't try mknod, but it should work the same way, right? Yes. On a typical system, getting root in a chroot'd environment can mean "game over". When you start doing things like making kmem read-only, disallowing various system calls (mknod, for example), preventing raw devices from being opened, then chroot'd environments become safer places to let root programs run wild.
The same holds true on Solaris, of course. That's why on the Solaris firewalls and network servers we work with at customer sites, we make it so that people connecting using any network daemon for any protocol cannot use the chmod or uadmin system calls, even if they are root. We make all memory devices and all disk devices entirely off-limits, even to processes running as root. And finally, we turn off read, write, and execute for almost all files, directories, programs, and devices on the system, again even for root. When this is in place, you don't really chroot for protection any more. You use chroot only when you need to provide an alternate environment for a process or session. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- chroot useful? Claudio Telmon (Nov 08)
- Re: chroot useful? Darren Reed (Nov 09)
- Re: chroot useful? Claudio Telmon (Nov 09)
- Re: chroot useful? Joseph S. D. Yao (Nov 10)
- Re: chroot useful? Andreas Siegert (Nov 12)
- Re: chroot useful? chuck+fwwiz (Nov 10)
- <Possible follow-ups>
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Steven M. Bellovin (Nov 13)
- Re: chroot useful? C Matthew Curtin (Nov 21)
- Re: chroot useful? Steven M. Bellovin (Nov 13)
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Douglas R. Steinbaum (Nov 13)
- Re: chroot useful? Darren Reed (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 14)
- Re: chroot useful? Aleph One (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 15)
- Re: chroot useful? Bernhard Schneck (Nov 14)
- Re: chroot useful? Darren Reed (Nov 09)
- Re: chroot useful? Paul McNabb (Nov 14)