End of bind-chroot-admin script
yersinia
yersinia.spiros at gmail.com
Mon Nov 10 12:49:31 UTC 2008
Well, it is off topic IMHO with the principal mail subject but the
discussion is so interesting so some consideration on the point could be
useful
http://etbe.coker.com.au/2007/08/22/se-linux-vs-chroot/
of Russel Cooker
On Mon, Nov 10, 2008 at 2:26 PM, Adam Tkac <atkac at redhat.com> wrote:
> On Mon, Nov 10, 2008 at 06:58:38AM -0500, Alan Cox wrote:
> > On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote:
> > > Chroot is good and traditional method how restrict daemons. Many users
> > > still use it and it is far more easy create chroot configuration than
> > > create/maintain SELinux policy. I don't think SELinux obsoletes
> > > chroot, both try restrict daemon privileges and both have + and -.
> >
> > chroot isn't a security feature. It helps for some non-root cases but
> there
> > are ways out of chroots and there are all sorts of fun things that can be
> > used to escape a chroot in the right circumstances.
>
> Well, we are quite OT but could you point me how daemon could escape chroot
> when it is written correctly?
>
> >
> > Its also inadequate for some forms of attack. If I can persuade your
> named to
> > run code of my choice in a chroot without selinux then I can still use
> your
> > box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all
> without
> > breaking the chroot.
> >
> > In the SELinux case a lot of those actions will hit SELinux denials.
> >
>
> Right you are but when you are using chroot it is very hard to do
> such attack. I think it is nearly impossible insert and run such long
> arbitrary code especially when binary is compiled with stack protector.
>
> Make sure I also think SELinux is better but it doesn't mean that
> chroot is useless and obsoleted.
>
> Adam
>
> --
> Adam Tkac, Red Hat, Inc.
>
> --
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
> https://www.redhat.com/mailman/listinfo/fedora-devel-list
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/fedora-devel-list/attachments/20081110/dbc88632/attachment.htm>
More information about the fedora-devel-list
mailing list