On Fri, Dec 10, 2010 at 01:01:56PM -0500, James Ralston wrote: > On 2010-12-10 at 14:02+00 Daniel P Berrange <berrange@xxxxxxxxxx> wrote: > > > I'm not familiar with what attacks you can do on mocks' chroot setup > > offhand > > <http://fedoraproject.org/wiki/Projects/Mock> describes an easy one: > > $ /usr/bin/mock --init -r fedora-10-i386 > $ /usr/bin/mock --shell -r fedora-10-i386 > mock-chroot> chmod u+s bin/bash > $ /var/lib/mock/fedora-10-i386/root/bin/bash -p > # cat /etc/shadow > > > but perhaps it is possible to avoid them by also leveraging some of > > the new kernel container features which allow you to build stronger > > virtual root, without going to the extreme of a full VM. > > There are two challenges here. > > First, you must be able to prevent the root user from breaking out of > the chroot jail. > > But second, you must also prevent unprivileged users outside of the > chroot jail from being able to interact with things inside the chroot > jail in a manner that they can use to escalate their privileges. > > Setting up a setuid bash shell within the chroot jail and then > invoking it via a normal user outside of the jail is the obvious > example, but there are undoubtedly other avenues of attack that must > be defended. Oh fun, I didn't notice the permissions in /var/lib/mock/$NAME/root were so open as to allow access from non-root users outside the chroot. That could be locked down though, so that stuff inside the chroot was only visible while on the inside. Dnaiel -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
