Firewall Wizards mailing list archives
Re: chroot useful?
From: Anton J Aylward <anton () toronto com>
Date: Sun, 16 Nov 1997 08:43:22 -0500
At 07:12 PM 16/11/97 +1100, Darren Reed wrote: ## Reply Start ##
could be converted to do that or make it possible.suppose I don't have a /dev/kmem - see LINUXHmmm ? This doesn't exactly mean a lot.
LINUX doesn't have a /dev/kmem, it uses a /proc vie of things.
suppose I don't have a /dev in my chroot()'d environmentYou create it. mkdir(2)suppose I have a /dev/kmem in my chroot'd environment which is actually /dev/nullunlink("/dev/null"); mknod("/dev/kmem", 0667, 0xkmem_device);
Right, how? I'm not supplying you with a compiler & library, therefore you have to have some mechanism of uploading a previously compiled binary into the chroot'd area. You're blithely bypassing this step. Most security is an onion-skin approach. Your argument seems to be based on an absolutist approach. "Because chroot CAN be subverted given this set of conditions you should NOT use it." I disagree. If chroot()ing smap or ftpd can reduce the vulnerability by 80%, that's 80% less I have to worry about. I don't expect using chroot() to be my ONLY defense. I normally use chroot as an area to run smap (or equivalent). No shell. No user accounts on the machine. (Not that there's anything they can much do on the 'firewall' (HOHOHOHO) even if they break into it. For example, by the time smap is actually reading from its input its no longer running as root, so even a buffer overrun forcing the mknod() code down its throat - assuming I haven't made other kernel fixes courtesy of Solar woszzisname - won't do anything. Mount options on many file systems allow for "no setuid". Perhaps we need to add a "mknod restricted to regular files only" mount option as well. How about contributing that code to the list to go along with Marcus's changes? I repeat, security is an onionskin approach. Anyone with experience in this business knows that there is no SINGLE cure, (Other than Marcus's Perfect Firewall). I drill this into my clients and address it at all my presentations. And I still know full well that even if I have a "firewall" (HOHOHOHO) which is 99.9999998% guaranteed to keep the internet hackers out (or even Marcus's PF) I'm still only curing about 20% of the problem. But one final thing: lets work on coming up with improvements to make the defense more effective. Lets not throw out layers of the onionskin just because, by themselves, they could be subverted. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 421-8182 | constraints and items which do not add Fax: (416) 421-8183 | value." - Dr. Mildred G Pryor, 1995
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Aleph One (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 15)
- Re: chroot useful? Bernhard Schneck (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Steven M. Bellovin (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Rick Murphy (Nov 17)
- Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 20)
- Re: Hardening, (was Re: chroot useful?) Paul D. Robertson (Nov 21)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Wolfgang Ley (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Aleph One (Nov 17)