Re: OT? Are chroots immune to buffer overflows?

[Hank Leininger <vuln-dev () progressive-comp com>]

On 2002-05-23, Jan Werner <xian () mat uni torun pl> wrote:

> On Wed, 22 May 2002, L. Walker wrote:

> > > [note: my question is WRT non-root chrooted jails - we all know
> > > about chroot'ing root processes!]

> There are ways to break out of chroot'ed environment:
> 1. If the chroot'ed program does not chdir("/") then there's way to
[snip]
> 2. If system does not provide any limitations for jail you can trace
> programs outside of jail send them signals use raw devices etc ...

...And of course several other things (mknod/open, mount, ioctl, sysctl,
kill, etc) can get you into trouble if you let a (e)uidzero process loose
inside a chroot jail.  Note that the original question included a
disclaimer that that wasn't what he was interested in :-P

> Some limitations for linux (I remind that this OS appeared in thread )
> can be implemented for example grsecurity kernel patch
> http://grsecurity.net/features.html

GRSecurity has a number of things rolled into it; afaik the chroot
protections it does come from my HAP-Linux patches (I support only 2.2.x,
they updated things to 2.4; they also make the CONFIG options more granular
and add sysctl knobs).  Ultimately, trying to be safe in the face of a
compromise of uidzero inside chroot is doomed to failure.  However, I would
be very interested to hear about any specific ways to break chroot that I
haven't already covered (I think sysv shmem, etc is still a problem
currently); look for CONFIG_SECURE_CHROOT in:

http://www.theaimsgroup.com/~hlein/hap-linux/

Thanks,

Hank Leininger <hlein () progressive-comp com>