On Mon, Nov 10, 2008 at 06:58:38AM -0500, Alan Cox wrote: > On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote: > > Chroot is good and traditional method how restrict daemons. Many users > > still use it and it is far more easy create chroot configuration than > > create/maintain SELinux policy. I don't think SELinux obsoletes > > chroot, both try restrict daemon privileges and both have + and -. > > chroot isn't a security feature. It helps for some non-root cases but there > are ways out of chroots and there are all sorts of fun things that can be > used to escape a chroot in the right circumstances. Well, we are quite OT but could you point me how daemon could escape chroot when it is written correctly? > > Its also inadequate for some forms of attack. If I can persuade your named to > run code of my choice in a chroot without selinux then I can still use your > box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all without > breaking the chroot. > > In the SELinux case a lot of those actions will hit SELinux denials. > Right you are but when you are using chroot it is very hard to do such attack. I think it is nearly impossible insert and run such long arbitrary code especially when binary is compiled with stack protector. Make sure I also think SELinux is better but it doesn't mean that chroot is useless and obsoleted. Adam -- Adam Tkac, Red Hat, Inc. -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
