[REVS] Chrooting Daemons and System Processes HOW-TO

From: support@securiteam.com
Date: 10/19/02


From: support@securiteam.com
To: list@securiteam.com
Date: 19 Oct 2002 04:11:19 +0200

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Chrooting Daemons and System Processes HOW-TO
------------------------------------------------------------------------

SUMMARY

A very good HOWTO has been released by Network Dweebs to better explain
what chrooting is, how to chroot daemons and how to make sure they are
working properly.

DETAILS

Introduction:
What is chrooting?
The command/function chroot is short for 'change root', and is designed to
change the file system root for the environment it is applied to. This
means the initial slash (/) in any path names are made relative to the
chrooted path. For example, if a file called: /home/jonz/hello.txt exists
on the system, and then I chrooted to /home/jonz, the file would then
exist, in my chrooted environment, as: /hello.txt

The purpose of chrooting is designed to create an impenetrable
(theoretically) "jail" protecting what is being chrooted from being able
to read or modify any files outside of the chrooted environment. In the
example above, I would be unable to access any files outside of
/home/jonz, since / is now pointing to /home/jonz. Chrooting is commonly
used to jail users in multi-user environments to protect system files.
Chrooting can also be used to jail system daemons to prevent them from
being viable targets for hackers. If a hacker should exploit a
vulnerability in a chrooted system daemon, their ability to affect files
outside of the jail, or obtain a root shell is significantly more
difficult. One big reason for this is that a shell is no longer part of
the environment's path, so even if the hacker blows the stack away there's
no shell to drop to. Many people have claimed to be able to break out of a
chrooted jail, but in many cases it was from a shell (which doesn't exist
in our case). Breaking out of a daemon-environment jail is at the very
least, extremely difficult.

When is it appropriate to chroot daemons or system processes?
Chrooting daemons is a practical method of adding an additional layer of
security to your system. Many system processes and third party
applications already have some safeguards against vulnerability exploits.
Many tools now have the ability to run as non-root users, which makes it
harder for hackers to attack root.

Network security layers such as firewalls, TCP wrappers, filters, and
etcetera also add to the overall security of a system. Like all of these,
chrooting is appropriate for most implementations, where it is possible to
do so without compromising functionality.

Can all daemons be chrooted?
Technically you can chroot anything you like including your mother's
casserole, but in some cases chrooting is not always possible without
"breaking" something, or in other circumstances, without an elaborate
nonconventional configuration not worth the trouble . Some daemons cannot
function properly in a chrooted environment due to the complexity of their
functions. For example, sendmail must have the ability to access users'
home directories to search for .forward files. There is no practical way
to chroot sendmail without creating an elaborate, time consuming "mirror".
This is why sendmail has an alternative solution, smrsh (sendmail
restricted shell). A majority of system daemons, however, can be safely
chrooted with little effort.

Will chrooting affect my users?
If it is done correctly, your users should notice no difference in system
behavior. Chrooting in itself will not directly affect your users or alter
your operating system. The existing system is commonly left untouched,
while small "jails" are created to provide services from. Keep in mind
also, we're not talking about taking advantage of chroot packages existing
in ftp or ssh daemons. That is a similar, yet different concept than the
one we're discussing here. We're discussing chrooting the system daemons
that provide these services to transparently be able to get their job done
with additional security.

ADDITIONAL INFORMATION

The complete article can be downloaded from:
 <http://www.networkdweebs.com/chroot.html>
http://www.networkdweebs.com/chroot.html

The information has been provided by <mailto:jonathan@networkdweebs.com>
Jonathan A. Zdziarski of Network Dweebs.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • Re: chrooting BIND [was -Re: Here I am again, hat in hand with humble demeanor.......]
    ... you are using BSD, or a zone if you are on Solaris, or a Solaris based ... While both are pretty simple to do on BSD, jail is far more secure, but ... I certainly find setting up jails more complex than chrooting. ... the FreeBSD BIND is chrooted by default, so there is nothing to set up.) ...
    (comp.protocols.dns.bind)
  • Re: Why are there few viruses for UNIX/Linux systems?
    ... > These days most daemons are chrooted, or do not run as root, thus the ... > While I understand that chrooting a daemon is not something one would ... patches for further security, jailon *BSE, ctx server patches and UML. ...
    (comp.os.linux.security)
  • Re: chroot or jail
    ... >> chrooting the files? ... > man jail says everything you need to know. ... > Once you setup your first jail it will take few minutes to setup the ... If you ask questions of idiots, ...
    (comp.unix.bsd.freebsd.misc)
  • Chroot Jail for entire sshd process
    ... I am attempting to go beyond chrooting the ssh/sftp users, ... to chrooting the entire daemon process. ... with all esential files and libraries and launching the process as a daemon ... been placed in the jail. ...
    (comp.security.ssh)