Hi. I've just a short question: Does anybody know how secure it is to chroot users in a small piece of my server tree? We want users to login via ssh and work on a webserver (test scripts etc.). They shouldn't see each other even they shouldn't know if they are on a real server or in a virtual space that seems and behave in most cases like a server. To point it out: Is there a possibility to break up the chrooted environment or is it safe to let them login ? Thanks in advance * * Ihr Formel4-Team * mailto:info@formel4.de * --- Viren machen auch etwas Nützliches, z.B. Windows löschen.
Hi,
if a compiler and certain programs are missing in a chroot jail it can be
considered reasonably safe. A possible way for an attacker to break out of such
a jail is to abuse setuid programs such as (older) versions of perl (which is
likely to exist on a webserver for cgi-scripts), or to exploit known
vulnerabilities of other binaries which reside in the chroot'ed area.
There are numerous exploits for other chroot'ed environments for services such
as ftp (see http://www.securityfocus.com/archive/1/12962) but I doubt wether
these can be adjusted to your situation. Anyway, take a close look on what you
put in the chroot area.
There's some paper discussing ways of escaping the chroot jail under
http://www.bpfh.net/simes/computing/chroot-break.html which is quite
informative.
Boris
Hi.
I've just a short question: Does anybody know how secure it is to chroot users in a small piece of my server tree?
We want users to login via ssh and work on a webserver (test scripts etc.). They shouldn't see each other even they shouldn't know if they are on a real server or in a virtual space that seems and behave in most cases like a server. To point it out: Is there a possibility to break up the chrooted environment or is it safe to let them login ?
Thanks in advance
* * Ihr Formel4-Team * mailto:info@formel4.de [...]
On Wed, 6 Dec 2000, Boris Lorenz wrote:
There are numerous exploits for other chroot'ed environments for services such as ftp (see http://www.securityfocus.com/archive/1/12962) but I doubt wether these can be adjusted to your situation. Anyway, take a close look on what you put in the chroot area. Well, IIRC several ppl planned to port *BSD jail to Linux, but a search in my bookmarks shows only http://sourceforge.net/projects/linuxjail/ (which seems not to be a very active project, I'm afraid).
Anyway, some related links are: Marc's compartment: http://www.suse.de/~marc/ capsel: http://www.elzabsoft.pl/~wp/capsel.html VXE: http://www.intes.odessa.ua/vxe/ Argante: http://agt.buka.org/concept.html LIDS: http://www.lids.org/ RSBAC: http://www.rsbac.org/ medusa DS9: medusa.fornax.sk HTH best regards, Rainer Link -- Rainer Link | SuSE - The Linux Experts link@suse.de | Developer of A Mail Virus Scanner (amavis.org) www.suse.de | Founder OpenAntiVirus Project (www.openantivirus.org)
Hi,
if a compiler and certain programs are missing in a chroot jail it can be considered reasonably safe.
It's easy to upload images. :) A possible way for an attacker to break out of such
a jail is to abuse setuid programs such as (older) versions of perl (which is likely to exist on a webserver for cgi-scripts), or to exploit known vulnerabilities of other binaries which reside in the chroot'ed area.
It's true, but even without this you should be carefull. Often the UID/GID of programs in chroot-jail is changed to nobody/nogroup, this enables an attacker to manipulate other processes with the same UID outside the chroot-jail via ptrace() (cron jobs are often run as nobody). An attacker could also use the network API to bypass ACL's (like tcpd and paketfilter), or to setup it's own servers and fool clients. Open directory descriptors are beside directory links the easiest way to leave the jail. :)
There are numerous exploits for other chroot'ed environments for services such as ftp (see http://www.securityfocus.com/archive/1/12962) but I doubt wether
They just work, because they exploit bugs while the code is running w/ UID 0. just my 0.02 Euro. :) Bye, Thomas -- Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg E@mail: thomas@suse.de Function: Security Support & Auditing "lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka" Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47
On Tue, 5 Dec 2000, Ralf Koch wrote:
Hi.
I've just a short question: Does anybody know how secure it is to chroot users in a small piece of my server tree?
We want users to login via ssh and work on a webserver (test scripts etc.). They shouldn't see each other even they shouldn't know if they are on a real server or in a virtual space that seems and behave in most cases like a server. To point it out: Is there a possibility to break up the chrooted environment or is it safe to let them login ? chrooted environments can be broken. Some techniques require root priviledges , some not. It really depends on the kernel. I'd use solar designers openwall patch. Using this, you also can't see other users/processes.
regards, Sebastian
participants (5)
-
Boris Lorenz
-
Rainer Link
-
Ralf Koch
-
Sebastian Krahmer
-
Thomas Biege