[H-GEN] /dev/log inside a chroot

Martin Pool mbp at linuxcare.com.au
Thu Aug 24 21:13:35 EDT 2000 

On Thu, Aug 24, 2000 at 11:44:43PM +1000, Anthony Towns wrote:
> On Thu, Aug 24, 2000 at 01:50:48PM +1000, David Jericho wrote:
> > On Wed, Aug 23, 2000 at 03:08:28PM +1000, Rob Kearey wrote:
> > > > [1] Jokes about the uselessness of chroot'ing something under RedHat will
> > > > be met with a large baseball bat with a nail poking out the head.
> > > What issues would there be with chrooting in RedHat, as opposed to any
> > > other Linux distro, as further opposed to $FAVOURITE_UNIX?
> > As they say, a Unix system is often only as secure as the administrator
> > makes it.  RedHat has some buggy programs, but I ask of you
> > blinded-by-the-faith Debian fans out there, how many of the holes
> > are actually software that would/should be running on a production
> > server?
> 
> If you can escape a chroot jail, that's the kernel's fault, not an
> application's, though, and hence, presumably, not the distribution's fault
> either. 

Phooey.  What if there is a world-writable /dev/hda in the jail?  More
reasonably, suppose the machine trusts TCP connections from localhost,
or packets from localhost can get onto a supposedly protected network.
Or suppose that there's a syslogd bug which can be exploited through
/dev/log.  There are lots of examples which are not the kernel's
fault.  Constructing really secure chroot jails is a black (or at
least navy blue) art.

> Although I was under the impression that chroot jails aren't
> entirely secure under Linux. I can't remember any details to back this
> up though.

The answer used to be that the kernel would often just check euid==0
before doing a privileged operation, so that somebody could break out
of a jail or cause damage if they had root inside it.  This is now
much less common in favour of capabilities, and in the medium term
this will help a great deal.  For example:

   asmlinkage int sys_reboot(int magic1, int magic2, int cmd, void * arg)
   {
	char buffer[256];

	/* We only trust the superuser with rebooting the system. */
	if (!capable(CAP_SYS_BOOT))
		return -EPERM;


But capabilities require more learning and thought on the part of the
person constructing the jail.  So sysadmins should rethink their
systems, and it will take a release or two for this to propagate into
all the distros.

-- 
Martin Pool, Linuxcare, Inc.
+61 2 6262 8990
mbp at linuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
URL: <http://lists.humbug.org.au/pipermail/general/attachments/20000825/12704714/attachment.sig>

More information about the General mailing list