Date: Fri, 8 Oct 1999 17:05:40 -0400 From: Justin Wells <jread@semiotek.com> To: freebsd-security@freebsd.org Subject: chroot jail in pre 4.0 Message-ID: <19991008170540.A1618@fever.semiotek.com>
next in thread | raw e-mail | index | archive | help
I have several daemons running chrooted on my box, and I am wondering just
how safe I can make things under 3.3/3.2. I will definately be using jail()
once that's available to me, but currently it's not..
What I would like to do is come up with something as secure-as-possible
using a combination of chflags, mount options, chroot, and exec.
Something like this:
-- mount /secure with nodev, nosuid, and noexec
-- schg,sunlnk any libraries/binaries/config files in /secure/someroot,
and sappnd,sunlink the logfiles.
-- set security level high enough to enforce schg, sunlink, and sappnd
-- accept a network connection (possibly with inetd, or some variant)
-- chroot to /secure/someroot
-- suid to a non-root user
-- exec some daemon or run some process
Yes, that's really paranoid, but I have to run some really bogus C code
that I just don't trust, and I don't have the resources to audit it. No
I'm not going to mention where it is and what it is :-)
You may have noticed my problem though: if the partition is mounted
noexec, then I cannot perform an exec AFTER the chroot. But that means
the daemon has to start running outside the chroot, AS ROOT, and then
call chroot() on its own.
I don't want my bogus C code monster running as root outside its chrooted
jail, at all. I also think having the partition mounted as "noexec" buys
me some significant benefits--attackers cannot find ways to upload program
code and exec it, because nobody can exec anything.
There are actually two programs: one that needs to be run out of inetd,
and another program that is a long-running server. Neither would survive
five minutes of even the most incompetent security audit, in my opinion.
But I have to run them...
What I need is some way to combine a chroot and an exec in one simultaneous
operation, so that the target partition can be noexec, so that the target
of the exec doesn't have to be inside the chrooted area.
Is there any way around this? What else should I do? Will jail be of
any help later?
Justin
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991008170540.A1618>