WebApp Sec mailing list archives
RE: Chroot jails
From: "Wall, Kevin" <Kevin.Wall () qwest com>
Date: Wed, 21 Sep 2005 07:54:13 -0500
Antoine Martin writes...
Wondered if people could give me their opinions on chroot jailsAFAIK, chroot on linux is fundamentally insecure - look for the 'chroot-again' flaw. Last time I checked it still worked and allowed to escape.A chrooted jail without dropping privileges is vain anyway. Indeed. Which is why I prefer: http://www.suse.de/~marc/compartment.html Unlike chroot you can drop privileges in one swoop. It deserves to be mentioned in this thread.
'compartment' looks like like a separate executable, typically
invoked at the shell level.
Is there anything like this in SuSE or other *nix variations that
does something similar to this in a single, atomic system call?
---
Kevin W. Wall Qwest Information Technology, Inc.
Kevin.Wall () qwest com Phone: 614.215.4788
"The reason you have people breaking into your software all
over the place is because your software sucks..."
-- Former whitehouse cybersecurity advisor, Richard Clarke,
at eWeek Security Summit
Current thread:
- Chroot jails Steve.Cummings (Sep 20)
- Re: Chroot jails JamesHorwath (Sep 20)
- Re: Chroot jails Antoine Martin (Sep 20)
- Re: Chroot jails Ingo Struck (Sep 20)
- Re: Chroot jails Antoine Martin (Sep 21)
- Re: Chroot jails Ingo Struck (Sep 20)
- Re: Chroot jails Mamading Ceesay (Sep 20)
- Re: Chroot jails xyberpix (Sep 20)
- Re: Chroot jails Paul Wong (Sep 21)
- <Possible follow-ups>
- RE: Chroot jails Craig Wright (Sep 20)
- RE: Chroot jails Wall, Kevin (Sep 21)