On Tue, 12 Dec 2000, Gunther Birznieks wrote:
> At 09:58 AM 12/11/00 +0000, Matthew Byng-Maddick wrote:
> >On Sun, 10 Dec 2000, Gunther Birznieks wrote:
> > > For example, perhaps the mod_perl server and the HTML/images server should
> > > be separately chrooted from each other? That way, someone who breaks the
> > > dynamic script won't be able to mess with the frontpage of the website to
> > > deface it assuming the hacker could get around permissions issues within
> > > the chroot jail.
> >Why do you need the proxy server to be chrooted at all? what does that
> >gain you. After all if apache is insecure, you can break out of the
> >chroot()ed jail anyway.
> If Apache is insecure it's not necessarily possible to break out of the
> chrooted jail. It depends on if the part of Apache that grabs the socket is
> insecure which is a tiny part of Apache.
Ah. I see what you're getting at. By insecure I really meant that you
could achieve root. I see that if you were trying to read files on the
system, yes, a chroot would help.
> Apache itself is large and complex and if you are talking about a front-end
> server, you are talking about having at minimum mod_proxy, mod_rewrite and
> maybe even mod_backhand. These modules are not trivial code but breaking
> them wouldn't allow someone to break out of the chroot jail with root
> privileges.
yes, you can only break out of the jail once you have achieved root.
> > > BTW, OT Question on the subject -- does anyone know if /chroot/etc/shadow
> > > necessary once the chroot jail is in effect? The author creates a shadow
If you can't break up to root in the jail, then you don't need to worry
about a shadow file.
> >Well, you've lost if you break root inside a traditional chroot() (as
> >opposed to FreeBSD4's jail() -
> >1) attacker can mknod() (and can therefore attack kmem.
> >2) attacker can call chroot()
> > - int j; mkdir("./bin"); chroot("./bin");
> > for(j=0;j<PATH_MAX;j++) chdir(".."); chroot(".");
> Doesn't this require the root ID in order to issue .. chroots? I may be
> misunderstanding this portion of your statement.
Yes, but I'm showing that in a traditional chroot, if the attacker can get
root (in order to read the /chroot-path/etc/shadow file), then you've lost
anyway, because he can break out of the jail by the trick above.
> >In which case the shadow file can be there. What isn't there is a way to
> >get root (any suid programs or similar). You hope. :)
> I agree that it's an important point to make is that any binary copied
> to the chroot jail should not be suid root as that would allow a point
> of attack.
That's why chroot() is useful. :)
MBM
--
Matthew Byng-Maddick Home: <[EMAIL PROTECTED]> +44 20 8981 8633 (Home)
http://colondot.net/ Work: <[EMAIL PROTECTED]> +44 7956 613942 (Mobile)
Think Honk if you're a telepath.
