Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 5 Jul 2002 11:12:24 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 5 Jul 2002 11:12:24 -0400 Received: from h24-70-122-134.ek.shawcable.net ([24.70.122.134]:8832 "EHLO vance.pcsscreston.ca") by vger.kernel.org with ESMTP id ; Fri, 5 Jul 2002 11:12:23 -0400 Subject: Re: prevent breaking a chroot() jail? From: Vance Lankhaar To: Shaya Potter Cc: linux-kernel@vger.kernel.org In-Reply-To: <1025877004.11004.59.camel@zaphod> References: <1025877004.11004.59.camel@zaphod> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.5 Date: 05 Jul 2002 08:17:52 -0700 Message-Id: <1025882272.929.2.camel@vance.pcsscreston.ca> Mime-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1438 Lines: 35 Take a look at the GR Security patch. It has a whole bunch of chroot restrictions, and might just do exactly what you want. http://www.grsecurity.net Vance On Fri, 2002-07-05 at 06:50, Shaya Potter wrote: > I'm trying to develop a way to ensure that one can't break out of a > chroot() jail, even as root. I'm willing to change the way the syscalls > work (most likely only for a subset of processes, i.e. processes that > are run in the jail end up getting a marker which is passed down to all > their children that causes the syscalls to behave differently). > > What should I be aware of? I figure devices (no need to run mknod in > this jail) and chroot (as per man page), is there any other way of > breaking the chroot jail (at a syscall level or otherwise)? > > or is this 100% impossible? > > thanks, > > shaya -- ------------------------------------------------------------ Vance Lankhaar vance@pcsscreston.ca PCSS Yearbook yearbook@pcsscreston.ca PCSS Computers sysadmins@pcsscreston.ca http://www.crestonbc.com/pcss/ http://www.pcsscreston.ca ------------------------------------------------------------ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/