Welcome to the most active Linux Forum on the web.
Go Back > Forums > Linux Forums > Linux - Security
User Name
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.


  Search this Thread
Old 02-23-2011, 02:07 PM   #1
LQ Newbie
Registered: Oct 2010
Posts: 14

Rep: Reputation: 0
linux chroot safe to use for sandbox?

I've read a lot of articles suggesting that you use chroot to create a sandboxed environment for users. Then I came across this discussion, and this article.

Is this still a valid security concern? (These are pretty old articles.) If so, here's why I'm struggling with the concepts presented:

If a user's chroot directory is actually /home/sam/jail, and the user creates a subdirectory of that, say /home/sam/jail/break then from the user's perspective, the following:

chroot ./break
cd ..
cd ..
cd ..

should only get the user as far as /home/sam/jail, right?
Click here to see the post LQ members have rated as the most helpful post in this thread.
Old 02-23-2011, 04:13 PM   #2
Registered: May 2001
Posts: 29,415
Blog Entries: 55

Rep: Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599Reputation: 3599
Originally Posted by linux_evangelist View Post
If a user's chroot directory (..) right?
As the first document stated (and as you can test yourself) breaking out of a chroot means getting or keeping the capability ('man capabilities') that allow one to call chroot. CAP_SYS_CHROOT is not something an unprivileged user has, ergo he can not break out of the chroot using this method. What you will frequently see a system service do is start as root, initialize the process like binding to a network port et cetera, change directory and then drop root rights running on as a lesser privileged user. As long as the daemon process drops root capabilities it can not break out of the chroot using this method too.
2 members found this post helpful.


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Using Linux to sandbox USB drives in Windows ShanxT Linux - General 2 01-14-2009 03:23 AM
LXer: Entering A Safe Mirror When Logging In With Unionfs And Chroot LXer Syndicated Linux News 0 06-29-2007 11:01 AM
sandbox application for SUSE linux? izquierdista Linux - Software 1 02-10-2007 03:20 PM
[SOLVED] PHP safe mode, Chroot, Apache, Gallery gypsy_rabbi Linux - Security 2 10-06-2004 03:45 PM
sandbox execution (compare to: chroot)? prell Linux - Software 1 09-23-2004 02:03 PM > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 02:52 AM.

Main Menu
Write for LQ is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Open Source Consulting | Domain Registration