On 2002-05-23, Jan Werner <xianat_private> wrote: > On Wed, 22 May 2002, L. Walker wrote: > > > [note: my question is WRT non-root chrooted jails - we all know > > > about chroot'ing root processes!] > There are ways to break out of chroot'ed environment: > 1. If the chroot'ed program does not chdir("/") then there's way to [snip] > 2. If system does not provide any limitations for jail you can trace > programs outside of jail send them signals use raw devices etc ... ...And of course several other things (mknod/open, mount, ioctl, sysctl, kill, etc) can get you into trouble if you let a (e)uidzero process loose inside a chroot jail. Note that the original question included a disclaimer that that wasn't what he was interested in :-P > Some limitations for linux (I remind that this OS appeared in thread ) > can be implemented for example grsecurity kernel patch > http://grsecurity.net/features.html GRSecurity has a number of things rolled into it; afaik the chroot protections it does come from my HAP-Linux patches (I support only 2.2.x, they updated things to 2.4; they also make the CONFIG options more granular and add sysctl knobs). Ultimately, trying to be safe in the face of a compromise of uidzero inside chroot is doomed to failure. However, I would be very interested to hear about any specific ways to break chroot that I haven't already covered (I think sysv shmem, etc is still a problem currently); look for CONFIG_SECURE_CHROOT in: http://www.theaimsgroup.com/~hlein/hap-linux/ Thanks, Hank Leininger <hlein@progressive-comp.com>
This archive was generated by hypermail 2b30 : Tue May 28 2002 - 12:47:54 PDT