Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Firewall Wizards: Re: chroot useful?

Re: chroot useful?

From: <chuck+fwwiz_at_yerkes.com>
Date: Mon, 10 Nov 1997 11:56:01 -0500 (EST)

It is claimed, but unverified, that Claudio Telmon wrote:
>
> I always had some doubts about the real protection that a chrooted
> environment can give. As you know, there is a lot of things that can be
> done in this environment, supposing you can bring some binaries in it:
> connect to other ports using the loopback interface, connect to internal
> hosts etc.
[...]
> My questions are:
> 1) Did I miss something so that my test is meaningless?
[...]

Well, I'd guess yes. Why would you be able to mount things in
a chroot environment? Moreoever how? Why would you remotely
be able to bring over binaries?

I guess my view is "bolt it down AND chroot it" - chroot alone
is not enough.

Or maybe we use chrooted areas differently. I usually use a
readonly area for chroot and I run specific programs (daemons) in
it - an http proxy, the rc5 cracking client, etc. Certainly not
interactive jobs, usually with no RW area. When you have interactive
stuff, you generally pull over so many binaries that you lose your
chroot security - unless that interactive area is menu controlled or
something and tightly controlled.

When I'm really paranoid, I use a disk that's pinned readonly
(finally, a use for those 105M quantums or that old 80 meg Mac
drive!).

When I need a R/W area, I have a R/O disk partition with the
binaries and a DATA area mounted NOSUID. My WWW servers run like
this as do POP and FTP - it keeps them out of trouble.

In general on "security conscious" machines, I keep /usr and
/usr/local partitions RO and everything that's read/write mounted
NOSUID (/var, /, /home and so forth). In practice, this mostly helps
limit mistakes by SA's and it forces a reboot to get it RO again -
reboots are obvious to detect. (Been thinking of whacking at OpenBSD
to get RO root areas - or perhaps booting into RAM from a CD, hmmm -
a 256+ Meg machine, and I've gotten BSDI down to 50 meg installs...
maybe some swap -- hmmmm, but I digress)

chuck
----------------------------------------------
chuck_at_yerkes.com consultant guy
Received on Nov 10 1997

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos