|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Subject: Re: chroot() and capabilities
From: Crispin Cowan (crispin
wirex.com)Date: Fri Aug 11 2000 - 14:37:21 CDT
- Next message: Matthew Kirkwood: "RFD: security-newbie mailing list"
- Previous message: David Lang: "Re: chroot() and capabilities"
- In reply to: David Lang: "Re: chroot() and capabilities"
- Next in thread: David Lang: "Re: chroot() and capabilities"
- Next in thread: Crispin Cowan: "Re: chroot() and capabilities"
- Reply: Crispin Cowan: "Re: chroot() and capabilities"
- Reply: David Lang: "Re: chroot() and capabilities"
- Reply: Chris Evans: "Re: chroot() and capabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
David Lang wrote:
> in a standard chroot there are seperate copies of the binaries which means
> that if someone gets into the sandbox and corrupts it it only affects taht
> sandbox. in your scheme it sounds like they would corrupt other parts of
> the system that use the same binary.
That is deliberate. The chroot() approach provides superior isolation, but
basically prevents the jailed app from doing anything useful to the host. As a
result, you cannot jail an application that intends to do something to the host,
i.e. the MTA (sendmail, postfix, whatever) because then it can't write to the mail
boxen.
SubDomain allows you to confine arbitrary programs, while controlling & limiting
the potential damage that a rogue app could do. You can give it read/not-write
access to /etc/shaddow, etc.
If you really want the isolation effect, then you can go right ahead and create a
chroot-style jail, copy files into it, and then write a SubDomain profile that
says you can only access the jail. For a bit more flexibility, you can write a
profile that says the program can access the jail, plus read one or two files
outside the jail. Etc. etc.
ObAudit: one of SubDomain's leading design criteria was to make it easy to audit
the SubDomain configuration of your host. If you want to know what is at risk,
you can just go look at the profiles. This is in stark contrast to trying to do
it with UIDs and file system mode bits. If I make the program owned by UID foo,
what files does it have R/W/X access to? I need to search the whole file system
to find out. With SubDomain, I can tell by reading one file.
Crispin
-- Crispin Cowan, Chief Scientist, WireX Communications, Inc. http://wirex.com Free Hardened Linux Distribution: http://immunix.org
- Next message: Matthew Kirkwood: "RFD: security-newbie mailing list"
- Previous message: David Lang: "Re: chroot() and capabilities"
- In reply to: David Lang: "Re: chroot() and capabilities"
- Next in thread: David Lang: "Re: chroot() and capabilities"
- Next in thread: Crispin Cowan: "Re: chroot() and capabilities"
- Reply: Crispin Cowan: "Re: chroot() and capabilities"
- Reply: David Lang: "Re: chroot() and capabilities"
- Reply: Chris Evans: "Re: chroot() and capabilities"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]