[SOLVED] linux chroot safe to use for sandbox?

linux_evangelist · 02-23-2011, 02:07 PM

I've read a lot of articles suggesting that you use chroot to create a sandboxed environment for users. Then I came across this discussion, and this article.

Is this still a valid security concern? (These are pretty old articles.) If so, here's why I'm struggling with the concepts presented:

If a user's chroot directory is actually /home/sam/jail, and the user creates a subdirectory of that, say /home/sam/jail/break then from the user's perspective, the following:

chroot ./break
cd ..
cd ..
cd ..
...

should only get the user as far as /home/sam/jail, right?

unSpawn · 02-23-2011, 04:13 PM

Quote:

Originally Posted by linux_evangelist

If a user's chroot directory (..) right?

As the first document stated (and as you can test yourself) breaking out of a chroot means getting or keeping the capability ('man capabilities') that allow one to call chroot. CAP_SYS_CHROOT is not something an unprivileged user has, ergo he can not break out of the chroot using this method. What you will frequently see a system service do is start as root, initialize the process like binding to a network port et cetera, change directory and then drop root rights running on as a lesser privileged user. As long as the daemon process drops root capabilities it can not break out of the chroot using this method too.