[ale] chroot and /proc?
Brian Pitts
brian at polibyte.com
Tue Apr 1 14:36:23 EDT 2008
Jeff Lightner wrote:
> BASIC QUESTION:
>
> How does one secure /proc in a chroot environment?
>
> DETAILS:
>
> On another mailing list a user was having an issue getting BIND to
> recognize all 4 CPUs. Someone suggested doing mount –bind of /proc
> into the chroot environment.
>
> To me this seems like a huge security issue. By making /proc available
> to the chroot environment it would allow anyone that compromised the
> chroot environment to muck things up by echoing things into /proc (e.g.
> many SCSI changes can be done by echoing into
> /proc/scsi/<adapter>/<instance>).
>
> On doing a Google search the only mention I see of securing this kind of
> setup talks about using UML with a different non-root user to restrict
> access but that post was from 2005. I’m wondering if that would still
> be a valid approach.
You can only muck around in /proc if you have root access. It's my
understanding that if you have root access, you can get out of a chroot.
http://lwn.net/Articles/252794/
"There are reasonable uses of chroot() for very limited security
purposes. Daemons that do not run as root can be placed into their own
filesystem subtree – bind/named and Apache are sometimes run this way –
to prevent any access outside of it. That will work, even if the daemon
gets exploited, as long as there is no way to elevate privileges after
the exploit. For example, if there are vulnerable setuid() programs
accessible from within the chroot(), full filesystem access is possible.
chroot() is a useful call, many install programs use it, as do programs
that need to see a consistent set of older libraries, but it has very
limited use in security applications. It does not provide a sandbox that
can be used to test suspicious code, that code might escalate its
privilege and access anything it wished. Maintaining an up-to-date
chroot() environment adds an additional burden on administrators as
well; update tools do nothing to help keep utilities secure if they live
outside of the normal places. It is probably safest to avoid using it as
any kind of security tool."
-Brian
More information about the Ale
mailing list