Re: kern.chroot_allow_open_directories
- From: Pawel Jakub Dawidek <pjd@xxxxxxxxxxx>
- Date: Fri, 10 Aug 2007 14:01:22 +0200
On Thu, Jul 19, 2007 at 08:34:29PM +0000, Stef Walter wrote:
Pieter de Boer wrote:
Is this sysctl meant to prevent breaking out of a chroot? Or am IIf the sysctl was set to 0 at the moment chroot() was called, then the
missing the point of 'kern.chroot_allow_open_directories'?
chroot() would have failed if the calling process had open directories
(that's what the sysctl is meant to do, if I'm understanding the source
right). If directories weren't open, the chroot() would work, but the
process would obviously not be able to open directories outside the
chroot after that, even if you'd set the sysctl to 1.
As I see it, there's no problem here, but could be wrong; chroot() is
tricky afaik..
Yes, it sure is.
However if a root process inside the chroot jail reset that sysctl,
after which it seems it could perform the usual break out thingy:
http://www.bpfh.net/simes/computing/chroot-break.html
I guess what I was wondering, is if FreeBSD is in fact immune to this
attack, and whether it makes sense to chroot superuser processes on FreeBSD.
Superuser running inside chroot(2) has many ways to escape. You
bascially gain no additional security in chrooting a process that will
continue to operate with privileges.
You should either chroot and drop privileges or use jail(2).
--
Pawel Jakub Dawidek http://www.wheel.pl
pjd@xxxxxxxxxxx http://www.FreeBSD.org
FreeBSD committer Am I Evil? Yes, I Am!
Attachment:
pgpiTLbQAUEAr.pgp
Description: PGP signature
- Prev by Date: Re: [tt #17465] [Comment] FreeBSD Security Advisory FreeBSD-SA-07:06.tcpdump
- Next by Date: Jailed X applications
- Previous by thread: Re: [tt #17465] [Comment] FreeBSD Security Advisory FreeBSD-SA-07:06.tcpdump
- Next by thread: Jailed X applications
- Index(es):
Relevant Pages
|
|
