[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Chroot jail



On Thu, 11 Oct 2001, Nadav Har'El wrote:

> On Wed, Oct 10, 2001, Eran Levy wrote about "Chroot jail":
> > Hi,
> > I know how making bind, apache, etc. into a chroot jail. But now I want to
> > make a guest account in a chroot jail. I had some documents/guides about
> > that, but I cant find them now. Can someone give me URLs of
> > documents/guides? I cant find guides/document specified for a user account
> > in a chroot jail. Any idea?
>
> I don't know of any guides (try a search engine like Google) but there's
> one obvious problem you'll need to solve when chroot-jailing someone: you'll
> need to provide a copy all the binaries, libraries, and so on that the user is
> supposed to use inside his jail. This becomes unwieldy when you have several
> jailed users.
> Two ways to prevent this redunant copying:
>  1. Use hard-links (symbolic links won't work) rather than copying
>  2. Put all the binaries, libraries, etc., that you want to give your
>     users in a seperate partition, and then mount it at multiple mount points.
>     This is possible in Linux! You can even have a virtual partition (e.g.,
>     some sort of loopback) and not a real disk partition.
>
> But if you use one of these solutions, watch out: one of the ideas of a
> chroot jail is that the user may (through some exploit) become root, but
> then can only ruin his own files. If the files are linked to other files,
> he'll be able to ruin those files. So never link a non-trusted user's files
> with the ones you're using - always make at least one other copy - for the
> non-trusted jailed users.

If you assume that the chroot-ed user can become root, and he either has a
compiler or a binary of "chroot" then he can also break out of the chroot
jail, and become root of the whole system.

-- 
Tzafrir Cohen
mailto:tzafrir@technion.ac.il
http://www.technion.ac.il/~tzafrir



=================================================================
To unsubscribe, send mail to linux-il-request@linux.org.il with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail linux-il-request@linux.org.il