http://etbe.coker.com.au/2007/08/22/se-linux-vs-chroot/
of Russel Cooker
On Mon, Nov 10, 2008 at 2:26 PM, Adam Tkac <atkac@xxxxxxxxxx> wrote:
On Mon, Nov 10, 2008 at 06:58:38AM -0500, Alan Cox wrote:Well, we are quite OT but could you point me how daemon could escape chroot
> On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote:
> > Chroot is good and traditional method how restrict daemons. Many users
> > still use it and it is far more easy create chroot configuration than
> > create/maintain SELinux policy. I don't think SELinux obsoletes
> > chroot, both try restrict daemon privileges and both have + and -.
>
> chroot isn't a security feature. It helps for some non-root cases but there
> are ways out of chroots and there are all sorts of fun things that can be
> used to escape a chroot in the right circumstances.
when it is written correctly?
Right you are but when you are using chroot it is very hard to do
>
> Its also inadequate for some forms of attack. If I can persuade your named to
> run code of my choice in a chroot without selinux then I can still use your
> box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all without
> breaking the chroot.
>
> In the SELinux case a lot of those actions will hit SELinux denials.
>
such attack. I think it is nearly impossible insert and run such long
arbitrary code especially when binary is compiled with stack protector.
Make sure I also think SELinux is better but it doesn't mean that
chroot is useless and obsoleted.
Adam
--
Adam Tkac, Red Hat, Inc.
--
fedora-devel-list mailing list
fedora-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/fedora-devel-list
-- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
