chroot-jail ?? whats this
Doug Siebert
dsiebert at icaen.uiowa.edu
Tue Feb 29 17:43:19 UTC 2000
Chris Phillips - Member Technical Staff <chrisph at loon.east.sun.com> writes:
>Consider that you have built the "chroot" env
>to isolate this app/daemon from the "real" system. If by some means
>root is acquired in the "chroot" env, then it may be possible to alter the
>files shared between the "chroot" env and the real env in such a way as
>to allow a root access in the real env. I would strive to make the
>2 environments as independent as possible.
If root is acquired in the chroot filesystem, all is lost unless it is
mounted read only and no directories exist within the chroot hierarchy.
(Plus the more obvious ones about not having any devices, etc.)
Otherwise:
chdir("/");
chroot("somedir");
chdir("../../../../../.."); /* as many as needed to get to real / */
chroot(".");
This works in every Unix I'm aware of, due to the way chroot() is
implemented. It is possible some versions have changed things so that
chroot() does an implicit chdir(), but then it violates POSIX.
There really is a reason why people keep saying that chroot() really
doesn't buy you much security...
--
Douglas Siebert Director of Computing Facilities
douglas-siebert at uiowa.edu Division of Mathematical Sciences, U of Iowa
I'm planning on being dead for most of the new millennium, how about you?
More information about the bind-users
mailing list