Re: chroot useful?

[mcnabb () argus-systems com (Paul McNabb)]

>  From: Bernhard Schneck <Bernhard_Schneck () genua de>
>  
>  In message <199711132205.RAA01373 () itd nrl navy mil> you write:
>   > I was under the impression that running the chroot() command on a UNIX 
>   > box would make it impossible for all subsequently launched programs to 
>   > access files located above the newly defined root point, even if such 
>   > programs are launched with a UID of 0.  [...]
>  
>  Probably most members of this list know already (or why would this
>  be a ``wizzards'' list :-), but the usual unix/posix system call
>  specifications *require* a way to break out of a chroot environment
>  (at least for root).
>  
>  So either don't trust chroot, or don't be posix.

However, on Unix systems using privilege instead of root, a process
with UID=0 is treated like any other process in terms of chroot().
With the Argus stuff, the privilege to override for chroot is separate
from all others, so you can in fact use chroot for isolation.

Of course with B-level security or capabilities (such as Decaf) you
can remove files and directories from the domain of a process, but
this is based on access control rather than namespace modification.

paul

---------------------------------------------------------
Paul McNabb                     Argus Systems Group, Inc.
Vice President and CTO          1809 Woodfield Drive
mcnabb () argus-systems com        Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433                "Securing the Future"
---------------------------------------------------------