Firewall Wizards mailing list archives
Re: chroot useful?
From: Darren Reed <darrenr () cyber com au>
Date: Sun, 16 Nov 1997 19:12:17 +1100 (EST)
In some mail I received from Anton J Aylward, sie wrote
At 01:55 PM 14/11/97 +1100, Darren Reed wrote:No. If it can write to /dev/kmem (especially), then all it needs to do is call the mknod(2) system call, create the right device for /dev/kmem, open it, search for the right place in memory to change and voila! No more chroot'd environment. Most of the buffer exploits for programs could be converted to do that or make it possible.suppose I don't have a /dev/kmem - see LINUX
Hmmm ? This doesn't exactly mean a lot.
suppose I don't have a /dev in my chroot()'d environment
You create it. mkdir(2)
suppose I have a /dev/kmem in my chroot'd environment which is actually /dev/null
unlink("/dev/null"); mknod("/dev/kmem", 0667, 0xkmem_device); Sure, you can prevent that with cetain file flags, but whether or not /dev/kmem or ~ftp/pub/kmem, makes no difference. One of the older NFS exploits was to create a /dev/kmem file from an otherwise untrusted network host that just happened to have root privs on the NFS volume. Once that file was created, say it was ~anton/kmem and was mode 666, it is exactly the same as /dev/kmem being 666.
Why oh why would you set up a chroot'd environment with the ability to break out of it, by supplying things like a compiler, syscall library.....
Who said anything about syscall libraries when you can do it in machine code anyway ?
There is also a very simple kernel tweek you can make.
Yup.
If the per process root inode is not the same as the system inode (i.e. the process is running chroot()'d) then disallow various system calls. I can claim originality for this....
You mean "can't"... [...mjr's email deleted...] So, how many firewalls out there implemented with any of the common operating systems (be they free or commercial) actually do this ? Yes, you can do these things. You can do a lot more too. But, as Marcus says, you have to know what to modify and how to modify it. Once you've got that knowledge, it's relatively trivial to hack it and make it work. Hacks are good short term solutions, designing a system that works, is functional and extensible is a tad more difficult but much more worthwhile. Yes, I am working on something to address this and other related issues without being too complacent it or naive about what the result will be. Darren
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Steven M. Bellovin (Nov 14)
- Re: chroot useful? Aleph One (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 15)
- Re: chroot useful? Steven M. Bellovin (Nov 14)
- Re: chroot useful? Bernhard Schneck (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Steven M. Bellovin (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Rick Murphy (Nov 17)
- Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 20)
- Re: Hardening, (was Re: chroot useful?) Paul D. Robertson (Nov 21)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Wolfgang Ley (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)