Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Sorry I am not expert enough to comment on your paper on a technical level.
I had heard of a "chroot jail" before but, before reading your paper, had only a vague notion of what it was. Thank you for the very illuminating paper.
Nice doc Markus. Some remarks. I think you should add a piece on setting up a chroot jail, even if only a generic example. I mean, in my eyes the part isn't complete without it because it's the ultimate goal, right? (Yeah, yeah, I know. That'll mean you'll have to write about apps that can't be or are hard to chroot, Glibc, NSS, user/group auth, linkage, (root-owned) socket binding, linux_capabilities, etc etc, but IIRC you could collate nfo from docs (you) posted on LQ). I think it also would be good to list the ways to get out of a chroot (sXid apps, /proc, device or kernelmem access) or provide linkage, because it's an essential part of securing a chroot and chroots being set up for security, list some chroot SW (jail, compartiment?) or provide links.
//mental note, if you're talking about checking, don't forget about the top inode:
Code:
int main(int argc, char **argv) {
struct stat x;
if (stat("/", &x)) {
printf("Unable to stat /");
exit(EXIT_FAILURE);
}
if (x.st_ino==2) {
printf("I am not chrooted or chrooted on a mountpoint\n");
} else {
printf("I am chrooted\n");
}
exit(EXIT_SUCCESS);
}
Originally posted by unSpawn Nice doc Markus. Some remarks. I think you should add a piece on setting up a chroot jail, even if only a generic example. I mean, in my eyes the part isn't complete without it because it's the ultimate goal, right? (Yeah, yeah, I know. That'll mean you'll have to write about apps that can't be or are hard to chroot, Glibc, NSS, user/group auth, linkage, (root-owned) socket binding, linux_capabilities, etc etc, but IIRC you could collate nfo from docs (you) posted on LQ). I think it also would be good to list the ways to get out of a chroot (sXid apps, /proc, device or kernelmem access) or provide linkage, because it's an essential part of securing a chroot and chroots being set up for security, list some chroot SW (jail, compartiment?) or provide links.
//mental note, if you're talking about checking, don't forget about the top inode:
Code:
int main(int argc, char **argv) {
struct stat x;
if (stat("/", &x)) {
printf("Unable to stat /");
exit(EXIT_FAILURE);
}
if (x.st_ino==2) {
printf("I am not chrooted or chrooted on a mountpoint\n");
} else {
printf("I am chrooted\n");
}
exit(EXIT_SUCCESS);
}
HF
First of all: THANK YOU VERY MUCH FOR YOUR FEEDBACK!
Well I thought to have the paper without a complete example (since the how to chroot part is more or less an "example" of the steps involved). I more thought about adding another service setup tutorial keeping chrooting in mind and relying on the basics of that paper.
About breaking chroots, there is a link to that at the FAQ area ... do you have any other links to be added and expand it? :-)
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.