Subject: Re: Escaping a chroot jail
To: Steven M. Bellovin <firstname.lastname@example.org>
From: Thor Lancelot Simon <email@example.com>
Date: 07/14/2005 08:10:52
On Wed, Jul 13, 2005 at 06:42:44PM -0400, Steven M. Bellovin wrote:
> In message <firstname.lastname@example.org>, Michael Richards
> on writes:
> >>>>>> "Thor" == Thor Lancelot Simon <email@example.com> writes:
> > >> and then emulating the file system?
> > Thor> "Emulating" the file system?
> > cd /usr/src/sbin/dump; make
> Or mknod /dev/kmem and overwrite the root vnode pointer in the
> process's data structures.
Neither of which works if you run your system at the default security
level of 1.
From my point of view, this "discovery" looks more like "I turned off
the default security model, and now I can do things that it prohibits!";
surprise surprise, the default security model was _designed_, and these
are some of the things it was designed to avoid.
Rather than gross special-purpose hacks to forbid them even when the
system's been deliberately configured to be insecure, I suggest:
1) Running these chrooted processes under systrace
2) *Never* running chrooted processes as root
3) Never running daemons as root when any filesystem mounted writable is
not also mounted nodev.
Thor Lancelot Simon firstname.lastname@example.org
"The inconsistency is startling, though admittedly, if consistency is to be
abandoned or transcended, there is no problem." - Noam Chomsky