On Wed, Sep 25, 2019 at 04:32:45PM +0200, Laslo Hunhold wrote: > On Wed, 25 Sep 2019 16:06:52 +0200 > Markus Wichmann <nullp...@gmx.net> wrote: > > Dear Markus, > > > chroot() has several detrimental effects, most importantly making it > > impossible to access /dev/null and /dev/urandom. Unless, of course, > > measures are taken to replicate these devices underneath the new root. > > please excuse the ignorant question, but why would you want to access > /dev/null? The problem with /dev/urandom is well-known, which is why > OpenBSD has arc4random(3). > > > It is also not a security device. If a service in a chroot is > > exploited with root privileges, it can mount procfs wherever, and > > access /proc/1/root. It can also mount another instance of the rootfs > > wherever and escape the jail that way. > > You are absolutely right. chroot() on its own is not a security device, > but it is when you drop your privileges after chrooting. Then it is not > possible to mount procfs or whatnot. > > After all, one measure alone is never enough, which is why I also use > unveil(2) (at least on OpenBSD) to make any other accesses to the file > system impossible. > > With best regards > > Laslo >
Yes and to add to it: Of course unveil and pledge also don't need (initial) root permissions, which makes locking down basic programs very easy. -- Kind regards, Hiltjo