End of bind-chroot-admin script

Adam Tkac atkac at redhat.com
Mon Nov 10 13:26:30 UTC 2008


On Mon, Nov 10, 2008 at 06:58:38AM -0500, Alan Cox wrote:
> On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote:
> > Chroot is good and traditional method how restrict daemons. Many users
> > still use it and it is far more easy create chroot configuration than
> > create/maintain SELinux policy. I don't think SELinux obsoletes
> > chroot, both try restrict daemon privileges and both have + and -.
> 
> chroot isn't a security feature. It helps for some non-root cases but there
> are ways out of chroots and there are all sorts of fun things that can be
> used to escape a chroot in the right circumstances.

Well, we are quite OT but could you point me how daemon could escape chroot
when it is written correctly?

> 
> Its also inadequate for some forms of attack. If I can persuade your named to
> run code of my choice in a chroot without selinux then I can still use your
> box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all without
> breaking the chroot.
> 
> In the SELinux case a lot of those actions will hit SELinux denials.
> 

Right you are but when you are using chroot it is very hard to do
such attack. I think it is nearly impossible insert and run such long
arbitrary code especially when binary is compiled with stack protector.

Make sure I also think SELinux is better but it doesn't mean that
chroot is useless and obsoleted.

Adam

-- 
Adam Tkac, Red Hat, Inc.




More information about the fedora-devel-list mailing list