Firewall Wizards mailing list archives
Re: chroot useful?
From: Anton J Aylward <anton () toronto com>
Date: Sat, 15 Nov 1997 08:38:07 -0500
At 02:54 AM 14/11/97 +0000, Steven M. Bellovin wrote:
That was precisely my point -- that this opinion is not correct. There are numerous ways for root to break out of a chroot() "jail"; the simplest is to do mknod() to create new special device files for the real disks, and mount new file systems on those devices. Many other variants are possible as well.
Could you clarify this please. Suppose I have a subdirectory which I chroot to which has the following subdirectories: etc contains passwd with single non root entry no other files bin contains statically linked resticted shell preferably a very limited one. not bash, csh or bsh dev contains nothing lib contains nothing home contains nothing I now have a program which, as root, chroot()s to this point sets PATH to "/bin", does a change uid and group to 999 and then execls the statically linked restricted shell. So, not being root, not having the utilities, anyone breaking in here must have to download their own binaries, I suppose. Or is there something else going on. Like trolling for Rick Smith and his debates about chroot vs the Type Enforcement such as is used in Sidewinder, which occurred in the old Brent Chapman's Firewalls group around the begriming of 1997, a debate Marcus was also involved in. You're welcome to review his arguments against chroot, which were essentially that the chroot "jail" wa a side effect of the virtualization of the file system that Dennis developed and - to some degree - a misinterpretation and debasement of its function. Sort of like using a knife as a screwdriver. Rick advocated type enforcement, not because his company produced a product which used is, but because it was correct by design for this function. I hope I haven't misinterpreted you, Rick, with that highly truncated precis. /anton
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Douglas R. Steinbaum (Nov 13)
- Re: chroot useful? Darren Reed (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 14)
- Re: chroot useful? Aleph One (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 15)
- Re: chroot useful? Bernhard Schneck (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Steven M. Bellovin (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Rick Murphy (Nov 17)
- Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 20)
- Re: Hardening, (was Re: chroot useful?) Paul D. Robertson (Nov 21)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Darren Reed (Nov 16)