From owner-freebsd-questions@FreeBSD.ORG Thu Apr 1 07:45:21 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 6AB5016A4CE for ; Thu, 1 Apr 2004 07:45:21 -0800 (PST) Received: from asarian-host.net (mail.asarian-host.net [194.109.160.70]) by mx1.FreeBSD.org (Postfix) with ESMTP id 99FAA43D1F for ; Thu, 1 Apr 2004 07:45:20 -0800 (PST) SRS0=opIOBTrz=G5=asarian-host.net=admin@asarian-host.net) Comments: To protect the identity of the sender, certain header fields are either not shown, or masked. Anonymous email accounts can be requested by filling in the appropriate form at: https://asarian-host.net/cgi-bin/signup.cgi Received: (from root@localhost) by mail.asarian-host.net (8.12.11/8.12.11) id i31FjJZO076793 for freebsd-questions@freebsd.org; Thu, 1 Apr 2004 17:45:19 +0200 (CEST) (envelope-from admin@asarian-host.net) From: Mark Received-SPF: pass (asarian-host.net: domain of admin@asarian-host.net designates sender IP as SASL permitted sender) Message-Id: <200404011545.I31FJILG076782@asarian-host.net> Date: Thu, 01 Apr 2004 15:45:19 GMT X-Authenticated-Sender: admin@asarian-host.net X-Trace: rJKR0C/PhxEKhqu3h2EZNgA0PCytslwGcsdbucGoLBTk1qk2IGyqzkUjrOus1z/UKf5KBr0yH3i/0bS7aHQ6Aw== X-Complaints-To: abuse@asarian-host.net X-Abuse-Info: Please be sure to forward a copy of ALL headers, otherwise we are unable to process your complaint Organization: Asarian-host To: References: <200404010802.I31823VU058374@asarian-host.net> <20040401084727.GA64863@xor.obsecurity.org> MIME-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit X-Priority: 3 X-MSMail-Priority: Normal X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165 X-Auth: Asarian-host PGP signature iQEVAwUAQGw5DzFqW1BleBN9AQFpVQf/TD+46gLRQbPQBGR4Vb3cqbP8Adx+EGUo AOkpFTUGFdEv5TDlGmPCPSqTeuZ9T3vuijm8pcZXTRAdo/PzPoYcpyko9N6/0yB+ fKVVvFWK8rqXdwBcvtUBupwuSFZR3gvAtl9UdN1/A+oI5z74xmy5MItHgvdTM8O2 G30XANJ2nswo0bStnjp4A2YfiybLfHnjvv5cvcvBY5N9hoPJv1Yn5/kMiPTUGdiZ h4tC3Aag2IHArZaUjDiGGsTKbA2KLIW2M+dDdF4aBXIG5w3fhFFqWdDySlGvlWrO EZjEXbY+wghcck2/6Ainw6N3F7HeeMs93rhcvddFai1l/AEVZEEMyA== =BEEn Subject: Re: chroot or jail? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 01 Apr 2004 15:45:21 -0000 ----- Original Message ----- From: "Kris Kennaway" To: "Mark" Cc: Sent: Thursday, April 01, 2004 10:47 AM Subject: Re: chroot or jail? > > Hello, > > > I am setting up a new Apache 1.3.29; and I was wondering, should I use > > jail or chroot to secure it? I know root can potentially break out of chroot. > > But what about jail? (FreeBSD 4.9R-p3). Can you break out of a jail? > > No [1], that's the point :) Well, we all know how things are meant to work. I mean, you're not supposed to be able to break out of a chroot either; yet this is still possible (some fchdir exploits with open directory file descriptors pointing outside the chrooted environment). So, I reiterate my question, do such exploits exist for jail too? I particularly ask because of the chroot ability of mod_security (1.75). It chroots Apache, after having started it up. Neat trick. But my suspicious nature (not necessarily a bait trait in a system administrator) wonders how breakout-proof that method really is. Especially since Apache keeps quite a few file descriptors open, pointing outside the chrooted environment. So, I was contemplating that I am perhaps better off jailing Apache (with a real jail call), instead of chrooting it. Cheers, - Mark