-----Original Message----- From: Philippe Vogel [mailto:filiaap@freenet.de] Sent: Wednesday, 16 February 2005 9:49 a.m. To: suse-security@suse.com Subject: Re: [suse-security] Security enhancements with Chrooted Apache?
Mike Tierney schrieb:
| Yes people can escape from Chroots. There is no extra protextion in | the SuSE Kernel yet. And trying to apply any 3rd party patches can | be a real pain (at least for the 2.4 kernel) owing to the extensive | backports of stuff into it. | Is there any proof of concetp or any article on the net, even if you disable /proc access in chroot-apache? What about the use of capabilities in that context (and grsecurity-patches)?
Disabling /proc wont stop the chroot being escaped, though it might rule out certain methods. I used the power of Google to find an example of how you can break out of a Chroot using a double "chdir". They may well be other pages out there detailing other methods. Or maybe there is only the "chdir" method. /shrug http://www.bpfh.net/simes/computing/chroot-break.html Note that you need to have root access. So AFAIK, to escape a Chrooted Apache you would need to: 1) Crack of exploit Apache to get a local shell 2) Execute a local kernel exploit to escalate yourself to Root 3) Execute a chroot escape exploit Now that should stop most people. I'd hope it would stop 99.9% of script kiddies/bored teenagers. However a highly skilled and determined attacker could do it. So yes running Apache Chrooted improves on your security enormously, but it's not crack-proof. But then maybe nothing is! I believe the Grsecurity patches tighten up Chroot to stop the double-chroot escape mechanism from working (among many other useful things). The linux-vserver patches also do a similar thing + more.