Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
RE: [suse-security] chroot
  • From: "Dave Woutersen" <DWoutersen@xxxxxxxxxxx>
  • Date: Wed, 06 Dec 2000 13:42:12 +0100
  • Message-id: <sa2e4259.011@xxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Also HI!

Is there a "good" doc about creating a chroot jail? I prefer UNIX independent documentation because I work with different UNIX platforms. Mostly SUN by the way.

Thanks,

Dave
>>> Boris Lorenz <bolo@xxxxxxx> 6-12-00 12:47:42 >>>
Hi,

if a compiler and certain programs are missing in a chroot jail it can be
considered reasonably safe. A possible way for an attacker to break out of such
a jail is to abuse setuid programs such as (older) versions of perl (which is
likely to exist on a webserver for cgi-scripts), or to exploit known
vulnerabilities of other binaries which reside in the chroot'ed area.

There are numerous exploits for other chroot'ed environments for services such
as ftp (see http://www.securityfocus.com/archive/1/12962) but I doubt wether
these can be adjusted to your situation. Anyway, take a close look on what you
put in the chroot area.

There's some paper discussing ways of escaping the chroot jail under
http://www.bpfh.net/simes/computing/chroot-break.html which is quite
informative.

Boris <bolo@xxxxxxx>
---

On 05-Dec-00 Ralf Koch wrote:
> Hi.
>
> I've just a short question: Does anybody know how secure it is to
> chroot users in a small piece of my server tree?
>
> We want users to login via ssh and work on a webserver (test scripts
> etc.). They shouldn't see each other even they shouldn't know if they
> are on a real server or in a virtual space that seems and behave in
> most cases like a server. To point it out: Is there a possibility to
> break up the chrooted environment or is it safe to let them login ?
>
> Thanks in advance
>
> *
> * Ihr Formel4-Team
> * mailto:info@xxxxxxxxxx
[...]

---------------------------------------------------------------------
To unsubscribe, e-mail: suse-security-unsubscribe@xxxxxxxx
For additional commands, e-mail: suse-security-help@xxxxxxxx



< Previous Next >