[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] Bunch of chroot security related questions
|
From: |
Olivier Sessink |
|
Subject: |
Re: [Jailkit-users] Bunch of chroot security related questions |
|
Date: |
Mon, 8 Mar 2010 13:26:20 +0100 (CET) |
|
User-agent: |
SquirrelMail/1.4.13 |
> Hi, I'm interested in the security of a chroot. I was surprised to find
> little documentation on it considering that's the primary objective of the
> damn thing.
>
> Anyway this is what I do at the moment.
>
> chown -R root:root /home/jailroot
> chmod -R 0755 /home/jailroot
> chown -R jail:jail /home/jailroot/home/jail
> chattr +a /home/jailroot/home/jail/.bash_history
> chattr +i /home/jailroot/home/jail/.bashrc
> chattr +i /home/jailroot/home/jail/.bash_profile
> chattr +i /home/jailroot/home/jail/.bash_logout
> chmod 0777 /home/jailroot/tmp
> chmod +t /home/jailroot/tmp
>
> Is this safe/correct?
yes it is
> Is it safe to mount /proc and /dev for screen and such things? Whats the
> best way to mount it? mount proc /home/penis/proc -t proc? noexec,nosuid
it is safer not to mount them, but that comes at a price of functionality.
several programs needs /proc/ or /dev/
> "If a jailed user or a jailed process can modify files in (for example)
> the
> JAIL/lib/ or JAIL/etc/ directory (i.e., those within the jail directory),
> the user can bypass security checks and gain root privileges.." How is
> this? Does this assume there is a process running as root that uses these
> libs? So then attacker could change them and execute arbitrary code in
> the
> root process?
assume you have sudo in the jail, and a user can write to sudoers
assume you have sudo in the jail, and the user can modify libc such that
libc will tell sudo you are in the right group
etc. etc.
Olivier