Re: Chrooting Openssh

From: Charles Clancy (security@xauth.net)
Date: 10/22/01

• Previous message: Jason Giglio: "Re: SUID program removal"
• In reply to: Skip Carter: "Re: Chrooting Openssh"
• Next in thread: Mike Johnson: "Re: Chrooting Openssh"
• Next in thread: Zow: "Re: Chrooting Openssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Mon, 22 Oct 2001 13:43:38 -0500 (CDT)
From: Charles Clancy <security@xauth.net>
To: focus-linux@lists.securityfocus.com
Subject: Re: Chrooting Openssh 
Message-ID: <Pine.GSO.4.40.0110221336560.29467-100000@ismene>

> > > Does any body know to chroot openssh service ?
> >
> > Generally chroot defeats the purpose of OpenSSH.
>
> I would have to respectfully disagree with this. It can make a lot of sense
> to chroot ssh sessions. With the use of the PAM module pam_chroot, you can
> easily chroot certain users and not others (so, for example admins would
> not get chrooted and ordinary shell account users would be).

If you're chrooting individual users, that's different than chrooting the
entire daemon process. With module described, the chrooting happens after
the user authenticates, which means any buffer-overflow attacks against
the SSH daemon itself would still be effective in giving an attacker
access to the entire filesystem.

If the goal of chrooting is to hinder the access of certain authenticated
users, then certainly chrooting makes sense; however, this is not specific
to OpenSSH and applies to anything giving someone access to the file
system (rsh, telnet, ftp, samba, etc).

If the goal of chrooting is to limit the effectiveness of buffer overflow
attacks (as many have done with BIND), then you have to chroot the entire
server processes, and it makes remote system administration difficult,
because even root is restricted to the new root.

--
t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy

---

• Previous message: Jason Giglio: "Re: SUID program removal"
• In reply to: Skip Carter: "Re: Chrooting Openssh"
• Next in thread: Mike Johnson: "Re: Chrooting Openssh"
• Next in thread: Zow: "Re: Chrooting Openssh"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Why are there few viruses for UNIX/Linux systems? ... > These days most daemons are chrooted, or do not run as root, thus the ... > While I understand that chrooting a daemon is not something one would ... patches for further security, jailon *BSE, ctx server patches and UML. ... (comp.os.linux.security) Re: What are the two roots in grub? ... That root is the "root" of your machine. ... unadorned filenames bentioned in the stanza. ... Maybe you're problem is in the initrd. ... Try chrooting into the new ... (Debian-User) Re: Trying to recover Ubuntu encrypted home ... before chrooting, after chrooting while root, and after chrooting as ... seanh, but my homedir is still not being decrypted and sometimes I'm ... (Ubuntu) Re: Trying to recover Ubuntu encrypted home ... before chrooting, after chrooting while root, and after chrooting as ... seanh, but my homedir is still not being decrypted and sometimes I'm ... (Ubuntu)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > focus-linux  > 2001-10