Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
RE: [suse-security] chroot
  • From: Thomas Biege <thomas@xxxxxxx>
  • Date: Wed, 6 Dec 2000 13:22:47 +0100 (CET)
  • Message-id: <Pine.LNX.4.21.0012061314140.31013-100000@xxxxxxxxxxxxxx>
Hi,

> if a compiler and certain programs are missing in a chroot jail it can be
> considered reasonably safe.

It's easy to upload images. :)

A possible way for an attacker to break out of such
> a jail is to abuse setuid programs such as (older) versions of perl (which is
> likely to exist on a webserver for cgi-scripts), or to exploit known
> vulnerabilities of other binaries which reside in the chroot'ed area.

It's true, but even without this you should be carefull.
Often the UID/GID of programs in chroot-jail is changed to nobody/nogroup,
this enables an attacker to manipulate other processes with the same
UID outside the chroot-jail via ptrace() (cron jobs are often run as
nobody).
An attacker could also use the network API to bypass ACL's (like tcpd and
paketfilter), or to setup it's own servers and fool clients.
Open directory descriptors are beside directory links the easiest way
to leave the jail. :)

> There are numerous exploits for other chroot'ed environments for services such
> as ftp (see http://www.securityfocus.com/archive/1/12962) but I doubt wether

They just work, because they exploit bugs while the code is running w/ UID
0.

just my 0.02 Euro. :)

Bye,
Thomas
--
Thomas Biege, SuSE GmbH, Schanzaeckerstr. 10, 90443 Nuernberg
E@mail: thomas@xxxxxxx Function: Security Support & Auditing
"lynx -source http://www.suse.de/~thomas/thomas.pgp | pgp -fka"
Key fingerprint = 09 48 F2 FD 81 F7 E7 98 6D C7 36 F1 96 6A 12 47


< Previous Next >
References