On Wed, 26 Jun 2002, Peter Mueller wrote: > reducing root-run code from 27000 to 2500 lines is the important part. > who cares how many holes there are when it is in /var/empty/sshd chroot > with no possibility of root :) Interesting approach. This gives the attacker an opportunity to access your system. Exploiting local bugs in the kernel aside... using your system for further compromises or other behavior of this nature aside... chroot is still not a silver bullet. It essentially provides a filesystem level separation - but not on every system this means any particular IPC restrictions, for example. Having an attacker in the system, no matter what his uid is, is a serious problem. The attacker with no direct ability to do rm -rf / or to change your webpage would be perhaps considered less serious, but I do not buy this argument. If you maintain your system properly and patch it on a regular basis, script kiddies are really not that difficult to get rid of. Even if you actually get compromised, it is probably better for the kiddie to be able to do something terribly evident, so you can know about the compromise, restore the data and continue. Script kiddies rarely have access to exploits for not yet published vulnerabilities and so on. It is people with some serious intent and skills you should fear, and having one with uid != 0 does not make me feel any safer. Sure, privilege separation is an added value - will protect clueless people who do not keep up with patches from mass defacements - but that's it. -- _____________________________________________________ Michal Zalewski [lcamtufat_private] [security] [http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};: =-=> Did you know that clones never use mirrors? <=-= http://lcamtuf.coredump.cx/photo/
This archive was generated by hypermail 2b30 : Wed Jun 26 2002 - 21:27:25 PDT