LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices

View Poll Results: I think chroot jails are:
Over rated 0 0%
Under utilized 16 94.12%
I was FRAMED! 1 5.88%
Voters: 17. You may not vote on this poll

Reply
 
Search this Thread
Old 04-11-2002, 11:10 PM   #1
mcleodnine
Senior Member
 
Registered: May 2001
Location: Left Coast - Canada
Distribution: s l a c k w a r e
Posts: 2,731

Rep: Reputation: 45
chroot 'jail' -- opinions?


I've been looking into using a chroot jail and thought it might be a good idea to solicit some opinions before I dive into this project.
 
Old 04-11-2002, 11:29 PM   #2
jeremy
root
 
Registered: Jun 2000
Distribution: Debian, Red Hat, Slackware, Fedora, Ubuntu
Posts: 10,316

Rep: Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612Reputation: 2612
With bind's security record I think it should install chroot'd by default. chroot is not the end all and chroot jails can be broken, but they are definitely a good step to take in my opinion.

--jeremy
 
Old 04-12-2002, 11:14 AM   #3
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,991
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
I agree. Especially if you take some extra steps to secure the box, like using "lcap" to take away some LINUX_CAPABILITIES (caps intended), like the ability to load modules after boot, run suid and sgid apps or be able to create devices (which can also lead to some breakage).
Btw, if you choose to patch your kernel with GRSecurity you'll get a lot more options to restrict chroot breakage and a lot more.
 
Old 04-22-2002, 08:54 PM   #4
Norel
Member
 
Registered: Apr 2002
Location: Italy
Distribution: RockLinux
Posts: 35

Rep: Reputation: 15
I'm agree with all above ... but ...
... just for dns ... use djbdns ... or other but not bind
 
Old 04-23-2002, 03:59 PM   #5
akohlsmith
Member
 
Registered: Apr 2002
Distribution: Slackware
Posts: 114

Rep: Reputation: 15
I've never been a fan of chroot

In the 6 years' that I've been using Linux I've never installed a chroot'ed environment for any daemons. Why?

- chroot is trivial to escape from once root is gained
- chroot'ed environments need to be set up for each daemon which is a major PITA
- run the daemon as its own user instead

BIND (9.1.2) works well running as its own user. Capabilities, as mentioned in a previous post, are nice too.
 
Old 04-24-2002, 06:17 PM   #6
Norel
Member
 
Registered: Apr 2002
Location: Italy
Distribution: RockLinux
Posts: 35

Rep: Reputation: 15
Re: I've never been a fan of chroot

Quote:
Originally posted by akohlsmith
- chroot is trivial to escape from once root is gained
When you have setup a chrooted environment your attention move to root gaining methods: if your jail is in a partition mounted with nosuid, any process in the jail run as its own user, you have blocked dev creation and module loading, ... chroot is NOT trivial to escape, because gaining root in this env. is VERY hard!
Surely no defense is unbreakable but you can make probability lower and that's your job.

Quote:
- chroot'ed environments need to be set up for each daemon which is a major PITA
Climbing computer security's stair is harder at any step and setting up chrooted environment is not the first, but if you want go higher (and you have time to spend ) it worth his price.

Quote:
- run the daemon as its own user instead
This is a must for any daenmon but some need root privileges and that's a pain.
 
Old 04-24-2002, 08:07 PM   #7
akohlsmith
Member
 
Registered: Apr 2002
Distribution: Slackware
Posts: 114

Rep: Reputation: 15
more on chroot

I agree that security is important. However the world of network security is a world of diminishing returns. Where on the graph you decide is secure enough depends on the situation.

For me, I have a set of daemons which I more or less 'trust': OpenSSH, ProFTPd, Apache+mod_perl+mod_ssl, recent BIND, qmail+vpopmail+courier IMAP, PostgreSQL, GNU-RADIUSd, NTPd.

Anything else that I'm not familliar with I would escalate the level of security somewhat along the lines of what you suggest, although what I usually do is put them on a separate server with the relevant ports forwarded and anything originating from it blocked and logged.

To me, having separate partitions and chrooted jails and so on is beyond where I'm willing to go; if I can't trust the app that much I will try to find something else, although I do admit that it is an interesting technique!
 
Old 06-01-2002, 06:18 PM   #8
crizoc
LQ Newbie
 
Registered: Jun 2002
Location: Jacksonville, Fl
Distribution: Red Hat 7.3
Posts: 2

Rep: Reputation: 0
I am trying to use chroot myself but cannot find any how-to on how to set the thing up. I am a Linux newbie btw. =\

-croz
 
Old 06-02-2002, 03:19 AM   #9
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,991
Blog Entries: 54

Rep: Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743Reputation: 2743
Croz, try the Jail Chroot Project, it's what I've been using, makes the setup easier, then I tweak it. It's got all the chroot docs on one page, but here's some more chroot docs: How to set up... (ok, it's RH but that's besides the point), Using Chroot Securely, Chrooting All Services in Linux (cached doc, couldnt find it elsewhere) and for good measure How to break out of a chroot() jail.

Patching your kernel with the GRSecurity patch assures for instance a "chdir" has been done before the actual "chroot", etc etc, but make sure you get the *latest* kernelpatch.
 
Old 06-02-2002, 04:28 PM   #10
crizoc
LQ Newbie
 
Registered: Jun 2002
Location: Jacksonville, Fl
Distribution: Red Hat 7.3
Posts: 2

Rep: Reputation: 0
Thanx unSpawn, i use redhat so its ok :]
 
Old 07-12-2003, 04:05 AM   #11
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Quote:
Originally posted by unSpawn
Croz, try the Jail Chroot Project, it's what I've been using, makes the setup easier, then I tweak it. It's got all the chroot docs on one page, but here's some more chroot docs: How to set up... (ok, it's RH but that's besides the point), Using Chroot Securely, Chrooting All Services in Linux (cached doc, couldnt find it elsewhere) and for good measure How to break out of a chroot() jail.

Patching your kernel with the GRSecurity patch assures for instance a "chdir" has been done before the actual "chroot", etc etc, but make sure you get the *latest* kernelpatch.
Over a year later...

Security has become something that I am backpedaling with (sadly). I should have started with a secure box and went from there, but that's a little late now. So...

Just wanted to let you know: thanks! I'll be reading tons of threads like this and examining the links provided.

Cool
 
Old 07-12-2003, 04:39 AM   #12
moses
Senior Member
 
Registered: Sep 2002
Location: Arizona, US, Earth
Distribution: Slackware, (Non-Linux: Solaris 7,8,9; OSX; BeOS)
Posts: 1,152

Rep: Reputation: 46
Since this thread was resurrected, I'll just post my $0.02.
I use chroot for completely non-security related work, and something that I doubt the chroot developers had in mind. I use it to setup/configure a newly installed OS while the old one is still running.
This requires, of course, enough disk space to have two OSs installed, but with such cheap hard drives, who doesn't have the space?
 
Old 07-12-2003, 05:25 AM   #13
MasterC
Guru
 
Registered: Mar 2002
Location: Salt Lake City, UT - USA
Distribution: Gentoo ; LFS ; Kubuntu
Posts: 12,612

Rep: Reputation: 64
Believe it or not (probably not ) that's what got me thinking about all this kind of stuff. I've been chrooting into a Gentoo I've been configuring for me. I'm trying to get it all setup to a point where I can boot back and forth between my main distro and it, seamlessly. Each time I do things with it I chroot myself into the / partition of the gentoo env.

Yeah, I wouldn't believe me either, sure sounds like I'm just trying to sound as cool as Moses

Cool
 
Old 07-12-2003, 10:27 AM   #14
enigmasoldier
Member
 
Registered: Jul 2003
Location: Florence, Ky
Distribution: CentOS 3.3-4, OpenBSD 3.3, Fedora Core 4, Ubuntu, Novell Open Enterprise Server
Posts: 213

Rep: Reputation: 30
I have a few brief comments for this thread.

First chroot rocks but have you looked into User Mode Linux?
http://user-mode-linux.sourceforge.net/

To unspawn:
lcap.c is a nice program. It is clean and works. Have you ever used the "secumod" package bundled with SuSE but not installed by default? http://www.suse.de/en/private/suppor...ecure_webserv/ explains a little about it. At only 25kb, it doesn't kill my memory and it's performance impact isn't noticeable.
 
Old 07-15-2003, 05:15 PM   #15
dai
Member
 
Registered: May 2002
Location: Wales
Distribution: Slack 8.1, Gentoo 1.3a, Red Hat 7.3, Red Hat 7.2, Manrake 8.2
Posts: 328

Rep: Reputation: 30
chroot can be a pig to set-up as I can atest to, but in my opinion any system with Bind or Apache on it should run these jailed.

Yes Apache needs lots of stuff to run when being used in a Commercial environment e.g. Openssl, php and access to a database connection.

However once you nail down all of the issues and get it working its relatively easy to start Apache on boot chrooted and to ensure all other systems function Okay. Im talking from my recent experience of jailing Apache 2.0 with ssl and php support and a need to access a mysql database so if anybody disagree's then fine but In my opinion when looking at the possible problems that can be caused when runnign a web server that allows scripts and cgi then allowing it to run un-jailed is taking quite a risk.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Chroot jail Gimpy Linux - Software 10 05-07-2010 01:30 PM
Chroot jail pachanga Linux - General 12 09-26-2008 05:15 AM
Jail and chroot rogk Linux - Security 2 10-16-2005 02:20 AM
chroot jail etc. f1uke Linux - Security 5 08-24-2005 03:12 AM
chroot jail simon Linux - Security 3 08-05-2001 08:21 PM


All times are GMT -5. The time now is 06:32 AM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration