End of bind-chroot-admin script
yersinia.spiros at gmail.com
Mon Nov 10 12:49:31 UTC 2008
Well, it is off topic IMHO with the principal mail subject but the
discussion is so interesting so some consideration on the point could be
of Russel Cooker
On Mon, Nov 10, 2008 at 2:26 PM, Adam Tkac <atkac at redhat.com> wrote:
> On Mon, Nov 10, 2008 at 06:58:38AM -0500, Alan Cox wrote:
> > On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote:
> > > Chroot is good and traditional method how restrict daemons. Many users
> > > still use it and it is far more easy create chroot configuration than
> > > create/maintain SELinux policy. I don't think SELinux obsoletes
> > > chroot, both try restrict daemon privileges and both have + and -.
> > chroot isn't a security feature. It helps for some non-root cases but
> > are ways out of chroots and there are all sorts of fun things that can be
> > used to escape a chroot in the right circumstances.
> Well, we are quite OT but could you point me how daemon could escape chroot
> when it is written correctly?
> > Its also inadequate for some forms of attack. If I can persuade your
> named to
> > run code of my choice in a chroot without selinux then I can still use
> > box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all
> > breaking the chroot.
> > In the SELinux case a lot of those actions will hit SELinux denials.
> Right you are but when you are using chroot it is very hard to do
> such attack. I think it is nearly impossible insert and run such long
> arbitrary code especially when binary is compiled with stack protector.
> Make sure I also think SELinux is better but it doesn't mean that
> chroot is useless and obsoleted.
> Adam Tkac, Red Hat, Inc.
> fedora-devel-list mailing list
> fedora-devel-list at redhat.com
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the devel