Tux

...making Linux just a little more fun!

Slight tweak to your editorial note

Rick Moen [rick at linuxmafia.com]


Tue, 24 Mar 2009 15:51:55 -0700

Almost not worth mentioning, but I've made a substantive albeit de-minimus addition to your editorial note, consisting of the words "non-root":

<p class="editorial">[ A common application of this would be to run a Web or FTP server chrooted in a directory like /home/www or /home/ftp; this provides an excellent layer of security, since even a malicious non-root user who manages to crack that server is stuck in a "filesystem" that contains few or no tools, no useful files other than the ones already available for viewing or downloading, and no way to get up "above" the top of that filesystem. This is referred to as a "chroot jail". -- Ben ]

Take my word for it, without that qualifier, you'd attract quibbles from people repeating the usual mantra: "chroot(8) is not root safe." (Ditto the chroot() system call.)

That is, the root user, and thus also any process that can escalate to UID0 privilege can trivially escape from any chroot jail: http://kerneltrap.org/Linux/Abusing_chroot http://unixwiz.net/techtips/chroot-practices.html http://www.bpfh.net/simes/computing/chroot-break.html

(You'll note that the article lists other ways of indirect ways of escalating privilege, plus "Why would anyone put that in a chroot jail?" methods such as "Follow a pre-existing hard link to outside the jail.")

If you want to be almost safe against kibbitzers writing in to say "chroot is not a security tool!" (another common mantra), amend your footnote to say that the tool must be used with care as some known means exist to attack it, and that it's no substitute for eschewing dangerous software and configurations. And maybe link to one or more of those links.


Top    Back


Rick Moen [rick at linuxmafia.com]


Tue, 24 Mar 2009 16:06:16 -0700

I wrote:

> Almost not worth mentioning, but I've made a substantive albeit
> de-minimus addition to your editorial note, consisting of the words
> "non-root":

Er, I actually meant to send that only to "ben@linuxgazette.net", but borrowed the headers from an old message that evidently had been CC'd to TAG. Fortunately, my general policy of not sending in e-mail anything you couldn't live with appearing on the front page of the _New York Times_ has paid off, yet again. ;->


Top    Back


Ben Okopnik [ben at linuxgazette.net]


Tue, 24 Mar 2009 21:30:23 -0400

On Tue, Mar 24, 2009 at 03:51:55PM -0700, Rick Moen wrote:

> 
> Almost not worth mentioning, but I've made a substantive albeit
> de-minimus addition to your editorial note, consisting of the words
> "non-root":
> 
> <p class="editorial">[ A common application of this would be to run a Web
> or FTP server chrooted in a directory like /home/www or
> /home/ftp; this provides an excellent layer of security, since even a
> malicious non-root user who manages to crack that server is stuck in a
> "filesystem" that contains few or no tools, no useful files other than
> the ones already available for viewing or downloading, and no way to get
> up "above" the top of that filesystem. This is referred to as a "chroot
> jail". -- Ben ]
> 
> Take my word for it, without that qualifier, you'd attract quibbles from
> people repeating the usual mantra:  "chroot(8) is not root safe."
> (Ditto the chroot() system call.)

I can't imagine anyone stupid enough to run a web or FTP server as root - for that matter, many of them drop privs after startup anyway - but certainly, it's a point worth making.

> That is, the root user, and thus also any process that can escalate to 
> UID0 privilege can trivially escape from any chroot jail:
> http://kerneltrap.org/Linux/Abusing_chroot
> http://unixwiz.net/techtips/chroot-practices.html
> http://www.bpfh.net/simes/computing/chroot-break.html

Sure. I've got a chunk of chroot-breaking code in my "teaching files" directory; it's stupidly simple, actually. I've always found it somewhat offensive that it's that easy.

> (You'll note that the article lists other ways of indirect ways of
> escalating privilege, plus "Why would anyone put that in a chroot
> jail?" methods such as "Follow a pre-existing hard link to outside the
> jail.")

[laugh]

I have seen sillier things ('vi' in a restricted shell, for example), but not often.

> If you want to be almost safe against kibbitzers writing in to 
> say "chroot is not a security tool!" (another common mantra), amend your
> footnote to say that the tool must be used with care as some known means
> exist to attack it, and that it's no substitute for eschewing dangerous
> software and configurations.  And maybe link to one or more of those
> links.

Not a bad idea; added.

It would be nice if there was a mechanism as simple as chroot and that was secure enough to do - well, the kind of things that people normally do with it. It's rather scary to consider how many root-priv chroot accounts exist out there; I know someone who was hosting lots of shell/web accounts on their machine. The default login was 'root@...' - because it was "too much trouble" to help everybody set their stuff up otherwise.

-- 
* Ben Okopnik * Editor-in-Chief, Linux Gazette * http://LinuxGazette.NET *


Top    Back