Message-Id: <200308071201.h77C1WEP007411@indianer.linux-kernel.at>
From: Oliver Pitzeier <oliver@linux-kernel.at>
To: herbert@13thfloor.at, linux-kernel@vger.kernel.org
Subject: grsec chroot; deny raw access (WAS: RE: chroot() breaks syslog() ?)
Date: Thu, 7 Aug 2003 14:02:58 +0200
Organization: Linux Kernel Austria
MIME-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8BIT
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 1151
Lines: 32

Oliver Pitzeier wrote <oliver@linux-kernel.at> wrote:
> Herbert P?tzl <herbert@13thfloor.at> wrote:
> [ ... ]
> > hmm, how will you avoid creation of special (devicenodes) 
> > files if I have raw access to any partition? I can 'simply'
> > use xxd to create my special inodes on the medium ... and I
> > would not care if mount is enabled or not when I wipe the
> > root partition with dd ...
> 
> AFAIK, there are possibilities to deny _RAW_ access to 
> partitions, while in a chroot-jail... If not, I'll tell the 
> grsec-team to implement a new feature. :)

I had contact to one of the grsec folks. He told me that it IS
possible, if you have enabled the ACL system...

The original mail he sent me was:

> I noticed your lkml post.  grsecurity will indeed deny raw
> access to block devices in a chroot, but only if the ACL
> system is enabled.

Herbert, I hope that helps? :)

Best regards,
 Oliver

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/