Subject: Re: i386 IO access and chroot()
To: None <>
From: Michael Richardson <>
List: tech-security
Date: 07/14/2001 22:17:00
>>>>> "Greg" == Greg A Woods <> writes:
    Greg> However I don't think mknod(2) is disabled at securelevel>=2 yet,
    Greg> and it probably should be, though you can work around that by
    Greg> putting the chroot jail on a filesystem mounted with 'nodev' (and
    Greg> maybe 'nosuid' too!).

  While this works for specific cases, it fails for general chroot-jails.
  (e.g. where you want to let a user login and run /bin/sh...)

  You need /dev/null and a bunch of other stuff. 

  In one situation I was involved in, we had a chroot() area for each 
user. It cost some disk space, but that is too cheap to worry about now.
A hacked sshd called chroot() to their homedir, and set $HOME to /work.
  Mounting some kind of devfs onto /dev that only did /dev/null, etc.
didn't seem a very scalable idea. I'd like "nodev1" and "nodev2" or some
such, or a way to do the equivalent of "nodev" in the chroot() call..

    Greg> If there are any more buffer-overflow style vulnerabilities in the
    Greg> kernel then that's another potential avenue of escape.....

    Greg> I don't know if anyone's explored the possibilities of (ab)using
    Greg> networking services from within the chroot jail yet either....

  I also want to disable networking when I make my jail :-)

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [