From: "Oliver Pitzeier" <o.pitzeier@uptime.at>
To: "'Olaf Titz'" <olaf@bigred.inka.de>, <linux-kernel@vger.kernel.org>,
       "=?us-ascii?Q?'Herbert_Potzl'?=" <herbert@13thfloor.at>
Subject: RE: chroot() breaks syslog() ?
Date: Wed, 6 Aug 2003 10:42:40 +0200
Organization: UPtime system solutions
Message-ID: <000701c35bf6$b370ea70$020b10ac@pitzeier.priv.at>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: 7bit
In-Reply-To: 
Importance: Normal
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1069
Lines: 28

> > IMHO, devfs in chroot environment, is defeating the purpose 
> > because if you have access to raw devices, like the device
> > your chroot dir is on, 
> > you can easily mount that device again, and voila you have 
> > access to 
> > the full tree, if you
> 
> You need to be root to mount the device, and as root you can 
> also create the device special file. A chroot environment 
> does not reliably guard against root breaking out of it.

That's not completly wrong nor is it completly true. :)

You _CAN_ guard yourself from root's breaking out of some chroot environment.
Using grsec (www.grsecurity.net). Denying double-chroots, creation of special
files within chroot-environments and if you like it... Deny mounting within
chroot. :)

There are many options provided - just use 'em. :)

Best regards,
 Oliver

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/