When Not to Use chroot 407
Hyena writes "Linux guru Alan Cox is quoted as saying 'chroot is not and never has been a security tool' in a KernelTrap article summarizing a lengthy thread on the Linux Kernel mailing list. The discussion began with a patch attempting to 'fix a security hole' in the Unix chroot command, trying to improve the ability of chroot to contain a process. When it was pointed out that people have been using chroot as a security tool for years, another kernel hacker retorted, 'incompetent people implementing security solutions are a real problem.' A quick search on the terms 'chroot+security' quickly reveals that many people have long thought (wrongly) that chroot's purpose was for improving security."
misleading... (Score:5, Informative)
FreeBSD Jails (Score:3, Informative)
Its like a virtual machine, but shares the same kernel (with restrictions) so there isn't the performance of full emulation.
Duh. (Score:3, Informative)
For those of you who weren't aware how easy it can be to break out of most chroots, here's a good description of a common process:
http://www.bpfh.net/simes/computing/chroot-break.html [bpfh.net]
Re:FreeBSD Jails (Score:1, Informative)
If its used to lock the hackers out of the program (or in the program out of the rest of the system) its security.
The big difference between protected processes and Jails is root on the main system can access anything in a jail where as I doubt you can do that in windows (if you can that its useless as DRM so the argument is moot).
Re:Duh. (Score:1, Informative)
--
For a user to do this, they would need access to:
- C compiler or a Perl interpreter
- Security holes to gain root access
--
So, the security tool isn't useful if there's a different security hole you can use to become root, especially when you can create and execute arbitrary code on the machine. No kidding.
We already know that chroot() can be broken with superuser access; that's what superuser access is for. Security holes that grant root access completely destroy the Unix security model, since it really only comes in two levels, and root is by definition unlimited. If I'm allowed simply to assume a way to gain root access as one premise of my new 'sploit, then there is no possible way to secure Linux at all.
Note that half of the discussion in TFA also falls into this trap. Most of the posts are discussing chroot as a shell command, and pointing out that if you're logged in as root it doesn't contain you. Again, no kidding. chroot is a way for a program to set up a samdbox for some other program; that's it. As a interactive shell command, it's mostly pointless.
Re:Not for security use? (Score:5, Informative)
1. Create ~/etc/master.passwd with an empty root password.
2. Hard link
3. Copy
4. chroot ~
5. ~/bin/sh is now an unrestricted root shell.
Re:Or is it? (Score:3, Informative)
For daemons that run as root, the user should not be using the chroot command. Instead, the daemon should be doing cwd(), chroot(), setuid(). For other processes, you should (as root) do something like chroot su user command, so you drop privileges as soon as you are inside the chroot and can't escape.
Re:Then what is it for? (Score:5, Informative)
Re:For daemons that don't run as root (Score:5, Informative)
Just because you can only run a command as a superuser doesn't mean that all of the child processes of that command have to be run as the superuser. If this were the case, since init runs as root you would not have a multiuser system.
Re:misleading... (Score:4, Informative)
Using chroot on a process is like handing a person a map with an X on the destination. You've shown them where they're supposed to go, you haven't really done anything to prevent them from running off in another direction.
Re:Not for security use? (Score:2, Informative)
Re:misleading...Re:Asshole Stereotype (Score:5, Informative)
Anyway, I do understand the perspective behind your reaction, but it doesn't fit in this specific case.
Oversimplified... (Score:3, Informative)
That said, even done properly chroot really only provides a little protection, and only in the case of horribly configured systems... IMHO, the sole benefit of chrooting a process is that anyone who successfully breaks-in can't execute SUID/SGID applications located elsewhere on the filesystem, which very, very commonly have security holes. Proper use of either sudo, or setting-up groups that are the only ones allowed to exec SUID/SGID applications, eliminates this big security hole.
People like to say that chroot prevents attackers from running anything within the chroot, but it really doesn't... No doubt the exploit code used to break-in directly overwrites locations in memory. A similar method can be used to run any code you wish, no matter what is or isn't available inside the chroot. It certainly won't stop someone from exploiting kernel bugs, generating/reading network traffic, etc.
Of course, these are the same types of people that think their systems are safer for having removed the compilers, and other (non-SUID/SGID) binaries that harmlessly occupy HDD space.
Re:I'll bite (Score:2, Informative)
linux doesn't have jail. However, user mode linux and the like accomplish the same thing.
I've also seen attempts to fake a jail using LD_PRELOAD funstion stubs to filter system calls. However, since the filtering is not done in the kernel, it's possible for another thread to modify the arguments after they've been verified but before they actual system call takes place (ie, a race condition).
There was a slashdot article about this a couple months ago, but damned if I can find it now.
Re:Not for security use? (Score:4, Informative)
They're not. They are, however, allowed to create a name in a directory (a link) that points to an existing inode. Since the inode has all of the owner and permission data, and the user is not allowed to modify the inode, allowing them to create a link to it is not an inherent risk.
Awesome, the semantics of directory permissions are not even honored anymore.. anyone else smell a kludge here?
Yes, they are.
chroot, security and other uses (Score:4, Informative)
Only if it can get access to a broken SUID program, etc. I always though the point of a chroot in a security context was that the chroot only had the absolute minimum environment the task being isolated had to have, thus there shouldn't be too much in there to worry about getting exploited. Which is very useful.
Of course there are lots of uses for chroot that have nothing to do with security. Like keeping a whole 32bit environment seperate from the main 64bit install, wonderful tools like mock which allow keeping multiple distros on multiple arches installed and usable for building packages, etc.
Re:Not for security use? (Score:1, Informative)
> You haven't created a file owned by root. You've created an i-node pointing to the data blocks of a file owned by root.
Ohh Keith, clearly you have meager understanding of what an inode is (or a hard link is for that mater). A hard link is NOT an inode but a new name-to-inode pointer contained in the directory's data blocks (remember a directory is just a file). When you create a hard link, you just increase the link count on the already existing inode and add an entry (pointer to the inode) in the link's parent directory's "file."
Now a soft link IS a new inode.
Hope that cleared things up for you. I LOVE asking this question during interviews because most Unix Sysadmins don't really know it.
--AC
Re:Chroot as a non-security tool (Score:4, Informative)
Citation (Score:5, Informative)
http://blogs.sun.com/chrisg/tags/chroot [sun.com]
*cough* (Score:3, Informative)
Re:Not for security use? (Score:5, Informative)
>
> You haven't created a file owned by root. You've created an i-node pointing to the
> data blocks of a file owned by root.
No, you didn't.
You created a directory entry pointing to the i-node of the file which is also pointed
by the 'sh' entry in the
You can delete a hard link to a file owned by anyone if you have write permission on the directory that contains a link:
zoltan@gep:~> ln
zoltan@gep:~> ls -l foo
-rwxr-xr-x 2 root root 572200 2005-09-10 03:43 foo
zoltan@gep:~> rm foo
rm: remove write-protected regular file `foo'? y
zoltan@gep:~>
On the other hand, if you try it in
zoltan@gep:~> cd
zoltan@gep:/tmp> ln
zoltan@gep:/tmp> ls -l foo
-rwxr-xr-x 2 root root 572200 2005-09-10 03:43 foo
zoltan@gep:/tmp> rm foo
rm: remove write-protected regular file `foo'? y
rm: cannot remove `foo': Operation not permitted
zoltan@gep:/tmp>
The reason for that strange behaviour is this:
zoltan@gep:/tmp> ls -ld
drwxr-x--- 114 zoltan users 16248 2007-09-28 14:23
drwxrwxrwt 32 root root 3176 2007-09-28 14:25
The
Is it a bug? Well, it's certainly a feature... Is it a security problem? I don't know, I am no security expert, but I haven't heard of an exploit based on links and the sticky bit yet.
Re:Or is it? (Score:5, Informative)
Well a good place to start would be at http://en.wikipedia.org/wiki/Chroot [wikipedia.org] because one of the first things I did when this article came up was to double-check my understanding of chroot right there. FTFW:
Re:Or is it? (Score:4, Informative)
Re:misleading... (Score:3, Informative)
Don't be silly, there are open source developers producing and using open source software in 1001 different scenarios. Many people are using Linux or BSDs in university computer labs, small companies, running web servers with shell access. You're right that no-one has developed this yet but there are thousands of network utilities in the Debian source tree and BSD Ports that demonstrate that developers are producing high-quality software for large-scale networked environments.