Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 5 Jul 2002 17:13:01 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 5 Jul 2002 17:13:00 -0400 Received: from abraham.CS.Berkeley.EDU ([128.32.247.199]:16647 "EHLO mx2.cypherpunks.ca") by vger.kernel.org with ESMTP id ; Fri, 5 Jul 2002 17:12:59 -0400 To: linux-kernel@vger.kernel.org Path: not-for-mail From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.linux-kernel Subject: Re: prevent breaking a chroot() jail? Date: 5 Jul 2002 21:00:55 GMT Organization: University of California, Berkeley Distribution: isaac Message-ID: References: <1025877004.11004.59.camel@zaphod> <1025879850.11004.75.camel@zaphod> NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: abraham.cs.berkeley.edu 1025902855 28542 128.32.153.211 (5 Jul 2002 21:00:55 GMT) X-Complaints-To: news@abraham.cs.berkeley.edu NNTP-Posting-Date: 5 Jul 2002 21:00:55 GMT X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1631 Lines: 25 Shaya Potter wrote: >if one changed the semantics of chroot() to also do a chdir() to the new root, >would that be fixed? There are lots of other ways for root to escape from a chroot jail. For example: Take control of another process using ptrace, mknod a new device, use the loopback filesystem to create new devices, mount /proc and modify /dev/kmem, bind to privileged ports and escape over the network, kill servers and re-bind to their addresses, mount a new filesystem, bang on IPC or shared memory, load a loadable kernel module, directly access hardware with iopl(), and so on. Moreover, note that chrooted root processes can do lots of other harm: kill all the rest of the processes on the box, set the time of day, set the local hostname, reboot your machine, use sysctl to turn on some dangerous option (e.g., IP forwarding), renice other processes, and the like. This is probably not so good, either. Chroot is a lot better than nothing, but it doesn't provide a secure jail, especially not for root. However, the following tools are intended to provide a secure jail, and may be of interest to you: SubDomain (http://www.immunix.org/subdomain.html), Janus (http://www.cs.berkeley.edu/~daw/janus/), and BSD's jail() system call come to mind. Also, may I point you to the Linux Security Modules project (http://lsm.immunix.org/)? I think you may find it of interest. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/