Vulnerability Development mailing list archives
Re: OT? Are chroots immune to buffer overflows?
From: Hank Leininger <vuln-dev () progressive-comp com>
Date: Tue, 28 May 2002 13:59:35 -0400
On 2002-05-23, Jan Werner <xian () mat uni torun pl> wrote:
On Wed, 22 May 2002, L. Walker wrote:
[note: my question is WRT non-root chrooted jails - we all know about chroot'ing root processes!]
There are ways to break out of chroot'ed environment: 1. If the chroot'ed program does not chdir("/") then there's way to
[snip]
2. If system does not provide any limitations for jail you can trace programs outside of jail send them signals use raw devices etc ...
...And of course several other things (mknod/open, mount, ioctl, sysctl, kill, etc) can get you into trouble if you let a (e)uidzero process loose inside a chroot jail. Note that the original question included a disclaimer that that wasn't what he was interested in :-P
Some limitations for linux (I remind that this OS appeared in thread ) can be implemented for example grsecurity kernel patch http://grsecurity.net/features.html
GRSecurity has a number of things rolled into it; afaik the chroot protections it does come from my HAP-Linux patches (I support only 2.2.x, they updated things to 2.4; they also make the CONFIG options more granular and add sysctl knobs). Ultimately, trying to be safe in the face of a compromise of uidzero inside chroot is doomed to failure. However, I would be very interested to hear about any specific ways to break chroot that I haven't already covered (I think sysv shmem, etc is still a problem currently); look for CONFIG_SECURE_CHROOT in: http://www.theaimsgroup.com/~hlein/hap-linux/ Thanks, Hank Leininger <hlein () progressive-comp com>
Current thread:
- Re: OT? Are chroots immune to buffer overflows?, (continued)
- Re: OT? Are chroots immune to buffer overflows? jove (May 23)
- Re: OT? Are chroots immune to buffer overflows? Dave Ahmad (May 23)
- Message not available
- Re: OT? Are chroots immune to buffer overflows? Jason Haar (May 23)
- Re: OT? Are chroots immune to buffer overflows? dev-null (May 22)
- RE: OT? Are chroots immune to buffer overflows? Stuart Adamson (May 22)
- RE: OT? Are chroots immune to buffer overflows? Steve Bremer (May 23)
- Re: OT? Are chroots immune to buffer overflows? Adam Lydick (May 23)
- Re: OT? Are chroots immune to buffer overflows? Iván (May 23)
- Re: OT? Are chroots immune to buffer overflows? Steve Bremer (May 24)
- RE: OT? Are chroots immune to buffer overflows? Stuart Adamson (May 24)
- Re: OT? Are chroots immune to buffer overflows? Hank Leininger (May 28)
- Re: OT? Are chroots immune to buffer overflows? Jose Nazario (May 28)