From: daw@mozart.cs.berkeley.edu (David Wagner)
To: linux-kernel@vger.kernel.org
Subject: Re: prevent breaking a chroot() jail?
Date: 5 Jul 2002 21:00:55 GMT [thread overview]
Message-ID: <ag51e7$rru$1@abraham.cs.berkeley.edu> (raw)
In-Reply-To: 1025879850.11004.75.camel@zaphod
Shaya Potter wrote:
>if one changed the semantics of chroot() to also do a chdir() to the new root,
>would that be fixed?
There are lots of other ways for root to escape from a chroot jail.
For example: Take control of another process using ptrace, mknod a new
device, use the loopback filesystem to create new devices, mount /proc and
modify /dev/kmem, bind to privileged ports and escape over the network,
kill servers and re-bind to their addresses, mount a new filesystem,
bang on IPC or shared memory, load a loadable kernel module, directly
access hardware with iopl(), and so on.
Moreover, note that chrooted root processes can do lots of other harm:
kill all the rest of the processes on the box, set the time of day,
set the local hostname, reboot your machine, use sysctl to turn on
some dangerous option (e.g., IP forwarding), renice other processes,
and the like. This is probably not so good, either.
Chroot is a lot better than nothing, but it doesn't provide a
secure jail, especially not for root. However, the following
tools are intended to provide a secure jail, and may be of interest
to you: SubDomain (http://www.immunix.org/subdomain.html), Janus
(http://www.cs.berkeley.edu/~daw/janus/), and BSD's jail() system call
come to mind. Also, may I point you to the Linux Security Modules project
(http://lsm.immunix.org/)? I think you may find it of interest.
next prev parent reply other threads:[~2002-07-05 21:13 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2002-07-05 13:50 prevent breaking a chroot() jail? Shaya Potter
2002-07-05 14:02 ` Miquel van Smoorenburg
2002-07-05 14:37 ` Shaya Potter
2002-07-05 16:14 ` Jesse Pollard
2002-07-05 21:00 ` David Wagner [this message]
2002-07-05 22:26 ` Martin Josefsson
2002-07-05 14:15 ` Thunder from the hill
2002-07-05 15:17 ` Vance Lankhaar
2002-07-05 18:15 ` H. Peter Anvin
2002-07-05 18:45 ` Ville Herva
2002-07-05 21:15 ` Alan Cox
2002-07-05 21:48 ` Jeff Dike
2002-07-05 21:07 ` Ville Herva
2002-07-05 21:35 ` Alan Cox
2002-07-09 3:07 ` Pavel Machek
-- strict thread matches above, loose matches on Subject: below --
2002-07-05 15:16 Hank Leininger
2002-07-05 16:17 ` Ville Herva
2002-07-09 13:41 ` Bill Davidsen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='ag51e7$rru$1@abraham.cs.berkeley.edu' \
--to=daw@mozart.cs.berkeley.edu \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.