Subject: Re: mknod in a chroot jail
To: Edgar Fu? <efnbl05@bn2.maus.net>
From: Thor Lancelot Simon <tls@rek.tjls.com>
List: tech-security
Date: 07/17/2005 13:12:15
On Sun, Jul 17, 2005 at 11:50:42AM +0200, Edgar Fu? wrote:
> As I started the thread about mknod in a chroot environment,
> I'll have to make some comments on the discussion my query started:
> 
> It was suggested that I had turned off standard security mechanisms
> and was surprised by the impacts this had.
> No I'm not. I'm running securelevel 1 on all but two NetBSD machines
> (0 on a netbooted sort-of-X-terminal, 2 on a paranoid syslog server).

If you're running at security level 1, then why are you worried about
this problem?  The kernel will not let you mount *or access* partitions
that are already in use.

> It was suggested to mount all filesystems either ro or nodev.
> I'm not aware of anything keeping me from mounting a memory file system
> non-nodev at a mount point of my discretion.

If you're concerned about this, you should not, of course, have MFS in
your kernel.  If you want to be able to mount memory filesystems outside
the chroot, but not inside, you can use md instead of MFS, and not create
md device nodes inside the chroot.

> It was suggested not to run any root processes chroot-ed.
> What, then, is the preferred way of running named (or, mor generally,
> providing name service) or ntpd?

Both of these programs can *already* run chrooted, not as root.  They
bind their sockets, chroot, and immediately revoke their root privileges.

More generally, however, you can use systrace to do all you want, and
more.

-- 
 Thor Lancelot Simon	                                      tls@rek.tjls.com

"The inconsistency is startling, though admittedly, if consistency is to be
 abandoned or transcended, there is no problem."		- Noam Chomsky