Re: chroot useful?

[Darren Reed <darrenr () cyber com au>]

In some mail I received from Douglas R. Steinbaum, sie wrote
> Regarding the comment made by Steve Bellovin (pasted at the end of this 
> message):
>
> I was under the impression that running the chroot() command on a UNIX 
> box would make it impossible for all subsequently launched programs to 
> access files located above the newly defined root point, even if such 
> programs are launched with a UID of 0.  Thus, the command could be used 
> as a simple "wrapper" to prevent a user application program which is not 
> completely trusted (for example, a commercial SW package for which source 
> code is unavailable) from being misused to access critical system files.  
> That is, chroot could be run to define the root point such that critical 
> files are inaccessible, and then the untrusted application would 
> subsequently be launched.  Is this not correct?

No.  If it can write to /dev/kmem (especially), then all it needs to do
is call the mknod(2) system call, create the right device for /dev/kmem,
open it, search for the right place in memory to change and voila! No
more chroot'd environment.  Most of the buffer exploits for programs
could be converted to do that or make it possible.

chroot is best used, in the way you describe above, to limit the reach of
non-root programs.

I wouldn't regard denying write perms to /dev/kmem a panacea either.  I
think you need to go a lot further than that before the chroot environment
is safe for root programs.  As Steve said, chroot doesn't create a virtual
environment which is what you (and a lot of people) confuse it for doing.

Darren