[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Exploit (t666.c) breaking chroot()
> This exploit for the latest Bind holes (hope you
> all upgraded to P5 already) promises to break chroot().
> As I know, chroot shouldn't be returnable from by anyone.
> In many cases chroot is treated as a major security feature
> (think of linuxconf demo site, when they run their demo
> linuxconf from a chroot()ed environment) and many docs
> suggest running named chrooted.
> So how come it can be skipped?
named is a root process; root can usually break from chroot()
jails. The method used in that exploit is somewhat system specific --
they note, in fact, that is does not work against NetBSD -- but
regardless, even if a root process is confined (from a directory
tree perspective) to a restricted tree, it can still do a lot of
damage.
Summary: chroot() is not safe to use against a root process.
=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il