Jonathan Larmour <jonathan.larmour@uk.origin-it.com> writes:
> ... Also be warned that chrooting in
> itself is not sufficient to guarantee security. e.g. if hacked, ...
Well, it _should_ go without saying that if a cracker can gain root
inside the chroot environment on a conventional Unix system, it's
game-over. The next two syscalls in a decent chroot wrapper are
chdir("/") to make sure you're actually inside, and setuid(nonzero) to
shed root priviledge. Also make sure there aren't any dangerous toys
inside the chroot directory, and that root outside the environment
never trusts anything inside that directory.
> I patched my kernel to prevent mounting, unmounting, mknod's,
> accessing the cwd after a chroot, and changing IP firewall/forwarding
> rules from within a chrooted area. ...
In theory, all of the dangerous kernel functionalities already check for
uid == 0; the key might be to make it impossible to regain uid=0 by any
mechanism whatsoever if you're chrooted, once the chroot wrapper has done
its setuid(unpriviledged) call. There are probably fewer places where
the kernel sets the uid than places where it tests it.
However, on the Squid list, we should probably stick to the specifics of
running Squid in such an environment and not go on too deep a kernel-dive.
I've put my Squid wrapper code as it exists so far at:
ftp://ftp.onramp.ca/adb/sqwrap-1.0.tar.gz
-- Anthony DeBoer <adb@geac.com> #include <std.disclaimer>Received on Thu Oct 09 1997 - 08:36:10 MDT
This archive was generated by hypermail pre-2.1.9 : Tue Dec 09 2003 - 16:37:16 MST