[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
security implications: ptyfs + mount_null + chroot
** The short version:
What security implications are there of doing a "null" mount of
/dev/pts on to directory that will be used under a chroot'ed
environment? How easily, if at all, could the resulting access to
ptys which might have been opened in the parent environment be a
In addition, how iron-clad is chroot now considered to be anyway?
** The longer version, if you care to read it:
I'm using the sandbox feature under pkgsrc/mk/bulk to build
packages in a chroot'ed env (I'm aware of other ways to build
packages chroot'ed, but I prefer mksandbox because it's elegantly
simple). I'm enjoying its side benefit that null-mounting the
parent userland dirs read-only in the sandbox reduces the damage to
the OS that, e.g., a trojan'ed Makefile.in buried in the package
distribution could do during builds. I do realize I'm not
addressing the run-time trust issue of packages here. Consider
that a separate thread for the moment.
A small problem I'm having, though, is that since ptyfs is
unavailable in the sandbox, some programs don't work in the
sandbox. My quick fix was to add /dev/pts to the list of
directories that get null-mounted; but it has to be read-write--
and therefore sets off warning-bells for me that doing so might
diminish the whole chroot/read-only win of using the sandbox. Does
it? Could it, say, offer an attacker in the chroot'ed environment
a previously-unavailable way to escape the jail? Or is the
aforementioned chroot/read-only win actually less of a win than I
thought it was in the first place?
Thanks in advance for your opinion on this.
Main Index |
Thread Index |