Firewall Wizards mailing list archives
Re: chroot useful?
From: Anton J Aylward <anton () toronto com>
Date: Sun, 16 Nov 1997 08:55:33 -0500
At 07:12 PM 16/11/97 +1100, Darren Reed wrote: ## Reply Start ##
[...mjr's email deleted...] So, how many firewalls out there implemented with any of the common operating systems (be they free or commercial) actually do this ?
Why not ask them. Many claim to run "hardened" versions of BSD or LINUX. Vulnerabilites and exploits are well publicized, and many of the developers read these lists. I doubt many are going to be so arrogant as to take a NIH approach to something Marcus has contributed to the state of the technology ;-)
Yes, you can do these things. You can do a lot more too. But, as Marcus says, you have to know what to modify and how to modify it. Once you've got that knowledge, it's relatively trivial to hack it and make it work.
First: You don't need to, you being the end user of the firewall. The firewall designer, the guy hardening the BSD or writing from scratch DOES need to be aware of these things, as well as the techniques. Chroot() is just one way of implementing a technique of virtualizing a file system - putting the process in a box, if you will. Other modified kernels have made the sockets only accessible thru the file system (/dev/tcp/smtp ==> handler to look up the next segment in the path such as /dev/tcp/smtp/nfr.com for example; this one has been documented) Second: You are playing with language here, using 'hack' in the pejorative. What marcus did was redefine the specification of the kernel to say that if a process is chroot()ed then it has reduced privilege. He showed how that could be SIMPLY implemented using existing systems, without having to invest in building a new system and preserving the investment in already existing experience and technology. To me that makes damn good business sense.
Yes, I am working on something to address this and other related issues without being too complacent it or naive about what the result will be.
This is a clean sheet design, right, which doesn't use ANY BSD or LINUX code? Or any other stuff in the public domain? I'm glad you've got someone financing you for this. I hope they'll also finance marketing your work against the established products as well as those that will get to market in 10% of the time by "hacking" at the LINUX and BSD kernels, as have many of the existing firewall - and other security oriented - products. /anton ## Reply End ## -------------------------------------------------------------------------- Anton J Aylward | "Quality refers to the extent to which The Strahn & Strachan Group Inc | processes, products, services, and Information Security Consultants | relationships are free from defects, Voice: (416) 421-8182 | constraints and items which do not add Fax: (416) 421-8183 | value." - Dr. Mildred G Pryor, 1995
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Steven M. Bellovin (Nov 15)
- Re: chroot useful? Bernhard Schneck (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Steven M. Bellovin (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Rick Murphy (Nov 17)
- Hardening, (was Re: chroot useful?) Marcus J. Ranum (Nov 20)
- Re: Hardening, (was Re: chroot useful?) Paul D. Robertson (Nov 21)
- Re: chroot useful? C. Harald Koch (Nov 20)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Wolfgang Ley (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Aleph One (Nov 17)
- syscall wrappers (was Re: chroot useful?) Bennett Todd (Nov 17)