From owner-freebsd-security Fri Oct 8 14: 4:53 1999 Delivered-To: freebsd-security@freebsd.org Received: from fever.semiotek.com (H253.C225.tor.velocet.net [216.126.82.253]) by hub.freebsd.org (Postfix) with ESMTP id DD47A15284 for ; Fri, 8 Oct 1999 14:04:44 -0700 (PDT) (envelope-from jread@fever.semiotek.com) Received: (from jread@localhost) by fever.semiotek.com (8.9.3/8.9.3) id RAA01755 for freebsd-security@freebsd.org; Fri, 8 Oct 1999 17:05:40 -0400 (EDT) (envelope-from jread) Date: Fri, 8 Oct 1999 17:05:40 -0400 From: Justin Wells To: freebsd-security@freebsd.org Subject: chroot jail in pre 4.0 Message-ID: <19991008170540.A1618@fever.semiotek.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii X-Mailer: Mutt 1.0pre2i Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org I have several daemons running chrooted on my box, and I am wondering just how safe I can make things under 3.3/3.2. I will definately be using jail() once that's available to me, but currently it's not.. What I would like to do is come up with something as secure-as-possible using a combination of chflags, mount options, chroot, and exec. Something like this: -- mount /secure with nodev, nosuid, and noexec -- schg,sunlnk any libraries/binaries/config files in /secure/someroot, and sappnd,sunlink the logfiles. -- set security level high enough to enforce schg, sunlink, and sappnd -- accept a network connection (possibly with inetd, or some variant) -- chroot to /secure/someroot -- suid to a non-root user -- exec some daemon or run some process Yes, that's really paranoid, but I have to run some really bogus C code that I just don't trust, and I don't have the resources to audit it. No I'm not going to mention where it is and what it is :-) You may have noticed my problem though: if the partition is mounted noexec, then I cannot perform an exec AFTER the chroot. But that means the daemon has to start running outside the chroot, AS ROOT, and then call chroot() on its own. I don't want my bogus C code monster running as root outside its chrooted jail, at all. I also think having the partition mounted as "noexec" buys me some significant benefits--attackers cannot find ways to upload program code and exec it, because nobody can exec anything. There are actually two programs: one that needs to be run out of inetd, and another program that is a long-running server. Neither would survive five minutes of even the most incompetent security audit, in my opinion. But I have to run them... What I need is some way to combine a chroot and an exec in one simultaneous operation, so that the target partition can be noexec, so that the target of the exec doesn't have to be inside the chrooted area. Is there any way around this? What else should I do? Will jail be of any help later? Justin To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message