Re: chroot useful?

[Anton J Aylward <anton () toronto com>]

At 02:54 AM 14/11/97 +0000, Steven M. Bellovin wrote:

> That was precisely my point -- that this opinion is not correct.  There
> are numerous ways for root to break out of a chroot() "jail"; the simplest
> is to do mknod() to create new special device files for the real disks, and
> mount new file systems on those devices.  Many other variants are possible
> as well.

Could you clarify this please.

Suppose I have a subdirectory which I chroot to which has the
following subdirectories:
        etc
                contains passwd with single non root entry
                         no other files
        bin
                contains statically linked resticted shell
           preferably a very limited one. not bash, csh or bsh
        dev
                contains nothing
        lib
                contains nothing
        home
                contains nothing

I now have a program which, as root, chroot()s to this point
sets PATH to "/bin", does a change uid and group to 999 and then
execls the statically linked restricted shell.

So, not being root, not having the utilities, anyone breaking in here
must have to download their own binaries, I suppose.

Or is there something else going on.   Like trolling for
Rick Smith and his debates about chroot vs the Type Enforcement
such as is used in Sidewinder, which occurred in the old Brent Chapman's
Firewalls group around the begriming of 1997, a debate Marcus was
also involved in.  You're welcome to review his arguments against
chroot, which were essentially that the chroot "jail" wa a side effect of
the virtualization of the file system that Dennis developed and - to
some degree - a misinterpretation and debasement of its function.
Sort of like using a knife as a screwdriver.   Rick advocated
type enforcement, not because his company produced a product which used
is, but because it was correct by design for this function.

I hope I haven't misinterpreted you, Rick, with that highly truncated
precis.

/anton