On Wed, Sep 25, 2019 at 04:32:45PM +0200, Laslo Hunhold wrote:
> On Wed, 25 Sep 2019 16:06:52 +0200
> Markus Wichmann <nullplan_AT_gmx.net> wrote:
>
> Dear Markus,
>
> > chroot() has several detrimental effects, most importantly making it
> > impossible to access /dev/null and /dev/urandom. Unless, of course,
> > measures are taken to replicate these devices underneath the new root.
>
> please excuse the ignorant question, but why would you want to access
> /dev/null? The problem with /dev/urandom is well-known, which is why
> OpenBSD has arc4random(3).
>
> > It is also not a security device. If a service in a chroot is
> > exploited with root privileges, it can mount procfs wherever, and
> > access /proc/1/root. It can also mount another instance of the rootfs
> > wherever and escape the jail that way.
>
> You are absolutely right. chroot() on its own is not a security device,
> but it is when you drop your privileges after chrooting. Then it is not
> possible to mount procfs or whatnot.
>
> After all, one measure alone is never enough, which is why I also use
> unveil(2) (at least on OpenBSD) to make any other accesses to the file
> system impossible.
>
> With best regards
>
> Laslo
>
Yes and to add to it:
Of course unveil and pledge also don't need (initial) root
permissions, which makes locking down basic programs very easy.
--
Kind regards,
Hiltjo
Received on Wed Sep 25 2019 - 17:26:32 CEST