OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NFR Wizards Archive: Re: chroot useful?

Re: chroot useful?

Paul McNabb (mcnabbargus-systems.com)
Tue, 11 Nov 1997 09:34:10 -0600

> From: Darren Reed <darrenrcyber.com.au>
>
> > 4) I didn't try mknod, but it should work the same way, right?
>
> Yes. On a typical system, getting root in a chroot'd environment can mean
> "game over". When you start doing things like making kmem read-only,
> disallowing various system calls (mknod, for example), preventing raw
> devices from being opened, then chroot'd environments become safer places
> to let root programs run wild.

The same holds true on Solaris, of course. That's why on the Solaris
firewalls and network servers we work with at customer sites, we make it
so that people connecting using any network daemon for any protocol cannot
use the chmod or uadmin system calls, even if they are root. We make all
memory devices and all disk devices entirely off-limits, even to processes
running as root. And finally, we turn off read, write, and execute for
almost all files, directories, programs, and devices on the system, again
even for root.

When this is in place, you don't really chroot for protection any more.
You use chroot only when you need to provide an alternate environment for
a process or session.

paul

---------------------------------------------------------
Paul McNabb Argus Systems Group, Inc.
Vice President and CTO 1809 Woodfield Drive
mcnabbargus-systems.com Savoy, IL 61874 USA
TEL 217-355-6308
FAX 217-355-1433 "Securing the Future"
---------------------------------------------------------

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:09:48 CDT