Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 8 Oct 1999 17:05:40 -0400
From:      Justin Wells <jread@semiotek.com>
To:        freebsd-security@freebsd.org
Subject:   chroot jail in pre 4.0
Message-ID:  <19991008170540.A1618@fever.semiotek.com>

next in thread | raw e-mail | index | archive | help

I have several daemons running chrooted on my box, and I am wondering just
how safe I can make things under 3.3/3.2. I will definately be using jail()
once that's available to me, but currently it's not..

What I would like to do is come up with something as secure-as-possible 
using a combination of chflags, mount options, chroot, and exec. 

Something like this:

   -- mount /secure with nodev, nosuid, and noexec 
   -- schg,sunlnk any libraries/binaries/config files in /secure/someroot, 
      and sappnd,sunlink the logfiles.
   -- set security level high enough to enforce schg, sunlink, and sappnd
   -- accept a network connection (possibly with inetd, or some variant)
   -- chroot to /secure/someroot
   -- suid to a non-root user
   -- exec some daemon or run some process

Yes, that's really paranoid, but I have to run some really bogus C code 
that I just don't trust, and I don't have the resources to audit it. No 
I'm not going to mention where it is and what it is :-)  

You may have noticed my problem though: if the partition is mounted
noexec, then I cannot perform an exec AFTER the chroot. But that means 
the daemon has to start running outside the chroot, AS ROOT, and then
call chroot() on its own. 

I don't want my bogus C code monster running as root outside its chrooted
jail, at all. I also think having the partition mounted as "noexec" buys 
me some significant benefits--attackers cannot find ways to upload program 
code and exec it, because nobody can exec anything.

There are actually two programs: one that needs to be run out of inetd,
and another program that is a long-running server. Neither would survive
five minutes of even the most incompetent security audit, in my opinion. 
But I have to run them...

What I need is some way to combine a chroot and an exec in one simultaneous
operation, so that the target partition can be noexec, so that the target
of the exec doesn't have to be inside the chrooted area.

Is there any way around this? What else should I do? Will jail be of 
any help later?

Justin



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19991008170540.A1618>