On 2010-12-10 at 14:02+00 Daniel P Berrange <berrange@xxxxxxxxxx> wrote: > I'm not familiar with what attacks you can do on mocks' chroot setup > offhand <http://fedoraproject.org/wiki/Projects/Mock> describes an easy one: $ /usr/bin/mock --init -r fedora-10-i386 $ /usr/bin/mock --shell -r fedora-10-i386 mock-chroot> chmod u+s bin/bash $ /var/lib/mock/fedora-10-i386/root/bin/bash -p # cat /etc/shadow > but perhaps it is possible to avoid them by also leveraging some of > the new kernel container features which allow you to build stronger > virtual root, without going to the extreme of a full VM. There are two challenges here. First, you must be able to prevent the root user from breaking out of the chroot jail. But second, you must also prevent unprivileged users outside of the chroot jail from being able to interact with things inside the chroot jail in a manner that they can use to escalate their privileges. Setting up a setuid bash shell within the chroot jail and then invoking it via a normal user outside of the jail is the obvious example, but there are undoubtedly other avenues of attack that must be defended. -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
