Date: Thu, 01 Apr 2004 15:45:19 GMT From: Mark <admin@asarian-host.net> To: <freebsd-questions@freebsd.org> Subject: Re: chroot or jail? Message-ID: <200404011545.I31FJILG076782@asarian-host.net> References: <200404010802.I31823VU058374@asarian-host.net> <20040401084727.GA64863@xor.obsecurity.org>
next in thread | previous in thread | raw e-mail | index | archive | help
----- Original Message ----- From: "Kris Kennaway" <kris@obsecurity.org> To: "Mark" <admin@asarian-host.net> Cc: <freebsd-questions@freebsd.org> Sent: Thursday, April 01, 2004 10:47 AM Subject: Re: chroot or jail? > > Hello, > > > I am setting up a new Apache 1.3.29; and I was wondering, should I use > > jail or chroot to secure it? I know root can potentially break out of chroot. > > But what about jail? (FreeBSD 4.9R-p3). Can you break out of a jail? > > No [1], that's the point :) Well, we all know how things are meant to work. I mean, you're not supposed to be able to break out of a chroot either; yet this is still possible (some fchdir exploits with open directory file descriptors pointing outside the chrooted environment). So, I reiterate my question, do such exploits exist for jail too? I particularly ask because of the chroot ability of mod_security (1.75). It chroots Apache, after having started it up. Neat trick. But my suspicious nature (not necessarily a bait trait in a system administrator) wonders how breakout-proof that method really is. Especially since Apache keeps quite a few file descriptors open, pointing outside the chrooted environment. So, I was contemplating that I am perhaps better off jailing Apache (with a real jail call), instead of chrooting it. Cheers, - Mark
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200404011545.I31FJILG076782>