I always had some doubts about the real protection that a chrooted
environment can give. As you know, there is a lot of things that can be
done in this environment, supposing you can bring some binaries in it:
connect to other ports using the loopback interface, connect to internal
hosts etc. These days I was talking about this with a list member, so I
tried on a linux box to mount the /proc filesystem in a chrooted
environment, and it worked. I had immediate access to all the process
descriptors, filtering rules and all a hacker may dream to reach in a
system.
It seems to be actually obvious, since the proc filesystem is an
interface to the kernel, and the kernel is still there even in chroot.
My questions are:
1) Did I miss something so that my test is meaningless?
2) I used the chroot command, not the system call; could the problem be
a consequence of a buggy implementation of the command? Maybe I should
try using the system call in a C program...
3) Is the problem common on other systems with the proc file system?
4) I didn't try mknod, but it should work the same way, right?
And finally: if the above is correct, what's the usefulness of chroot,
besides giving some more trouble to the hacker?
Thanks
ciao
- Claudio
Received on Nov 08 1997
Intro
