From owner-freebsd-security Fri Nov 1 15:36:30 1996 Return-Path: owner-security Received: (from root@localhost) by freefall.freebsd.org (8.7.5/8.7.3) id PAA03344 for security-outgoing; Fri, 1 Nov 1996 15:36:30 -0800 (PST) Received: from scanner.worldgate.com (scanner.worldgate.com [198.161.84.3]) by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id PAA03282; Fri, 1 Nov 1996 15:36:20 -0800 (PST) Received: from znep.com (uucp@localhost) by scanner.worldgate.com (8.7.5/8.7.3) with UUCP id QAA08287; Fri, 1 Nov 1996 16:36:16 -0700 (MST) Received: from localhost (marcs@localhost) by alive.ampr.ab.ca (8.7.5/8.7.3) with SMTP id QAA23033; Fri, 1 Nov 1996 16:35:58 -0700 (MST) Date: Fri, 1 Nov 1996 16:35:58 -0700 (MST) From: Marc Slemko X-Sender: marcs@alive.ampr.ab.ca To: Dev Chanchani cc: freebsd-security@FreeBSD.org, freebsd-questions@FreeBSD.org Subject: Re: chroot() security In-Reply-To: Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-security@FreeBSD.org X-Loop: FreeBSD.org Precedence: bulk (If you followup to this, please remove -questions since I think this is specific enough to go to -security and -questions is more of a fallback for questions that don't apply elsewhere.) On Fri, 1 Nov 1996, Dev Chanchani wrote: > We are developing a site which will allow people to access thier pages > via telnet. we are going to place them in a chroot() environment giving > them access to only critical programs (a la ls, editor, etc.) Does anyone > know of any security implecations per say of putting someone in a > chroot()'ed environment, and what files must be in their directory for > things to function properly? Never loose sight of the fact that if someone gets root in the chrooted environment, they have root on the whole machine. The chrooted environment does not lessen the implications of getting root, it only makes it harder to do so. If you have more than one user that needs this access and you want a seperate tree for each, remember that as long as you keep them on the same partition you can hard link the common files so you only need one copy of them on disk. Be careful with permissions in the chrooted environment to be sure the user can't write to what they aren't supposed to. One method if implementing the chrooted environment, if you have a seperate IP address for each client, is to use tcpd. for example, in your hosts.allow: telnetd@192.168.0.1 : \ .example.com : \ rfc931 : severity auth.info : \ twist = /usr/sbin/chroot /directory/to/chroot/to /usr/libexec/telnetd This says to use this entry only for telnetd on an interface with an IP address of 192.168.0.1. In some cases this works well, in others you need to actually do more work. Whatever you do, don't make a world executable setuid chroot binary available since that has the potential to allow a security compromise. As to what files you need, you quickly figure that out by what doesn't work. Some of the things include the passwd file (/etc/[s]pwd.db is the most important on FreeBSD), groups file (if you want numeric groups to be converted to names), shared libraries (if you don't make all binaries static), some of /dev but not too much. Exactly how much you need depends on your particular circumstances. Overall, this can be an effective method of implementing a virtual environment and increasing security. We are using it for both ftp and shell access and it works quite well.