Yes people can escape from Chroots. There is no extra protextion in the SuSE Kernel yet. And trying to apply any 3rd party patches can be a real pain (at least for the 2.4 kernel) owing to the extensive backports of stuff into it. Look my thread from about a week or two ago called "Extra Chroot Protection in SuSE?" or something like that. If you don't mind running a patched vanilla kernel, take a look at www.grsecurity.org. They have done all kinds of nice things like make Chroots more secure as well as patching lots of other things and implementing some stack smashing protection etc. Also, if you want REALLY secure separation of applications, then I'd recommend something like the linux vserver project (www.linux-vserver.org) whereby you can create multiple virtual servers with their own IP addresses and capability restrictions, etc. Or check out Solaris 10 x86 which has this feature called "Containers" which securely implements the same thing but it's part of the OS now rather than an "add-on" or 3rd parth patch. Also anyone can now use Solaris 10 x86 as long as they register that they are using it! Hope that helps! :)
-----Original Message----- From: Kai Pfeiffer [mailto:pfeiffer.kai@gmx.net] Sent: Wednesday, 16 February 2005 12:19 a.m. To: suse-security@suse.com Subject: [suse-security] Security enhancements with Chrooted Apache?
Hello list,
I compiled Apache 2.xx with PHP5 from the sources into a chroot environment. The only executables in this chroot-cage is bash and the apache-daemon. Only the necessary libs are in the cage.
The hole chroot-tree is on an iso-image and only the partitiones needed for var and tmp mounted noexec.
I want to know if there are any worries about this configuration. e.g. could anybody escape out of this cage, if he cracked apache?
Thanx
Kai
-- Check the headers for your unsubscription address For additional commands, e-mail: suse-security-help@suse.com Security-related bug reports go to security@suse.de, not here