Chroot Jails Made Easy

GonzoJohn writes "There are always difficult jobs to do as a GNU/Linux system administrator. Sometimes the difficulty lies in finding out how to do a particular job, not necessarily the job itself. This can be particularly true in the open source world where documentation can often take a back seat to implementation. But once in a while, you can stumble on a real gem that simplifies even the most difficult administration tasks. One such gem is the Jail Chroot Project. Linux Orbit introduces you to creating chroot-ed environments in this article."

This is a great find!

[bwdunn]

I must have spent a week working through various docs trying to learn this, and most of what I read was either impossible to understand or just inaccurate. Finally I happened upon this, and I refer to it often. Here's the jist of it:

====================
Introduction
Jail Chroot Project is an attempt of write a tool that builds a chrooted environment. The main goal of Jail is to be as simple as possible, and highly portable. The most difficult step when building a chrooted environment is to set up the right libraries and files. Here, Jail comes to the rescue with a tool to automagically configures & builds all the required files, directories and libraries. Jail is licensed under the GNU General Public License.

Jail program has been written using C, and the setup script has been written using a bash script and perl. Jail has been tested under Linux (Debian 2.1 & 2.2, RedHat 6.1, 6.2 and 7.0 and Caldera Openlinux 7.0), Solaris (2.6), IRIX (6.5) and FreeBSD 4.3. Some people has contributed to jail with patches and ideas. Thanks to all of them.

Jail supports lots of interesting features:

Runs on Linux, Solaris, IRIX and freeBSD (tested) and should run in any of the flavours of these operating systems.
Modular design, so you can port Jail in an easy way.
Support for multiple users in a single chrooted environment.
Fully customizable user shell.
Support for multiple servers: telnetd, sshd, ftpd...
Easy to install thanks to the enviroment creation script.
Should work in any UNIX.
Ease of porting.
Allows run any kind of program as a shell.

An html version of the mailing list has been added to the web site. Now you can read all the user contributions, ideas and patches here.

Re:This is a great find!

[Doc+Assman]

Hi to everybody !

I'm Assman :) Yes, Jail works on all of these platforms!. I mantained Jail for about one year, If you see the page, Its pretty outdated. I want to update it more frecuently, but we have some 'technnical dificulties' (mainly, I need a new site to migrate Jail)

Now I have new plans for it: support more platforms, fix the installation bugs, migrate all the scripts to python (yes, python rocks!) and support program dependencies in order to install all the software (not only one binary or script)

Thanks to everyone for your feedback and new ideas.

- Juan M. Casillas

PS: Please send me all your feedback in order to improve jail!

Re:This is a great find!

[Some+Guy]

> I'm Assman :)

Gues he must really like it in jail!

Oh, come on. I'm kidding. Relaxez-vous.

Re:This is a great find!

Nice piece of software, but...

Why support FreeBSD? FreeBSD allready has a superior
implementation of jail. Don't waste your time on that. Furthermore why rewrite something to python which isn't as common as perl (perl is included in *BSD by default).

Greet,

Jorgen Maas

Re:This is a great find!

Il est totalement hors de question de relaxer ici.

what do I do with it?

[jericho4.0]

The chroot jail approach is pretty cool, and gives a great layer of security for the system too.

In the long run, though, I hope the standard aproach becomes User Mode Linux.

Re:what do I do with it?

[phaze3000]

The chroot jail approach is pretty cool, and gives a great layer of security for the system too. In the long run, though, I hope the standard aproach becomes User Mode Linux.

I don't. A UML installation normally has far more in the way of tools than a chroot-jail. if a cracker exploits a vulnerable daemon and gets into UML they have far more opportunity to do badness. If, on the other hand, they exploit a vulnerable chroot-jailed daemon then if it's well set up all they'll have access to is probably /dev/urandom and /dev/log - neither of which they can do any great damage with. UML is a great tool, but this really isn't the best way to use it.

Re:what do I do with it?

[Virtex]

If someone can get a root shell, even if it's in a chrooted jail, they can get access to your whole system. This is possible because chroot wasn't really designed for security purposes, even though it's usually used that way. A root user can break out of a jail because:

1) chroots are not recursive. If I create a chroot jail inside an existing chroot jail, the outer jail disappears. Combine this with #2.

2) chroots will not let you open a file outside the jail. But if a file is already open when the jail is created, it will remain open and active.

So, if I can get a program to the victim's machine, I can open a file descriptor to the current jailed directory (fd = open(".", O_RDONLY)), mkdir a subdirectory, change into that directory, and chroot in it. Now I can do a fchdir(fd) to get out of the jail. From there, I will perform several chdir("..") calls to reach the real root directory, and exec a bin/sh. I now have a root shell to the whole system.

An ordinary user can't do the chroot's, but if there's already on open file handle pointing outside of the jail, they can usually break out, too.

Why CHROOT JAIL?

[bwdunn]

Anyone allowing shell access to your systems should bookmark, read, and master this stuff. If you have no idea why, this should help (from the article):

So what is a "chroot jail"?

Essentially it is a security method for creating a safe user enviroment on systems that allow remote access accounts. The "jail" locks users into a virtual directory structure and grants access only to applications created for the jailed users by the administrator. It has long been a standard for hosting companies to create remote access accounts with this method, but the process was far from simple. Creating each account took many steps and needed thorough testing to assure system security.

Re:Why CHROOT JAIL?

I was going to ask why? This seems like a really strong lock on a flimsy-walled room, anyone with a floppy and access to the pc can cirbumvent ... but I guess this isn't a desktop environment lock-down, it's a shared server (telnet or some other mainframy-thing) lockdown. OK.

Re:Why CHROOT JAIL?

give me one OS that cannot be compromised by local access. hence the reason for implementing security IRL as well as network level.

Re:Why CHROOT JAIL?

[naasking]

EROS, KeyKOS, and pretty much any properly designed capability operating system

Re:Why CHROOT JAIL?

[CableModemSniper]

BS. How is a capability system gonna help when I take a hammer to it?

Re:Why CHROOT JAIL?

[naasking]

The data was not compromised now was it?

Re:Why CHROOT JAIL?

[CableModemSniper]

Can any capability system (short of having an encrypted filesystem) prevent me from taking the hard drive and mounting it in some other box and having a look at the data?

Re:Why CHROOT JAIL?

[naasking]

Ok, let's establish what we mean by local access. There is local access such as terminal users, and there is local access such as machine owner. A machine owner can do whatever the hell he wants. He can disassemble the entire system, apply disk forensics, read the motherboard EPROMS, whatever. As far as the machine is concerned, he is God and not even a capability system could stop him from doing what he wanted (unless it employed encryption, or disk randomization schemes like EROS is currently implementing).

Local access at the terminal/user level is secure for any pure capability system (properly configured of course).

Bloody BOFH

[tanveer1979]

First he fried my data
Then he formatted my drive
Then he garbled my project


But.. I am *not* going to let him put me in jail too! Rise ye users. This is a conspiracy by all admins to jail us. they are violating our DMCA RIAA CIAA BIDA ...... Supreme court.. here I come

jail != chroot

[zdzichu]

Jail is a term taken from BSD.
In BSD, jail and chroot are two different things, althrough very similar. There exist two syscalls - jail() and chroot().

What's the difference?
Chroot is ordinary chroot, the same as in linux. You do chroot /something bin, and /something becomes root direcorty (/) of run program. This program can't open for example /etc/passwd, because _real_ /etc doesn't exist in it's /. Chrooted program's /etc is in fact /something/etc.
But if you goot root priviledges you can easily break chroot. Just make a special file named 'hda1' beeing a device node (like those in /dev) inside chroot, mount it, and ... voila! You have access to whole disk. Chroot is broken. Of course, you must have access for making file, but must chroot have.

Jail is slightly different. It not only hold process in some directory. It's also *restrict* certain *syscalls*. So you can't mount anything, change network settings and some more. Jail is more restrictive and probably you can't break it even if you have root access in jail.

Jail, because of blocking syscalls, must have some help from kernel. Right now, there is a jail() in FreeBSD and probably NetBSD. OpenBSD don't have it - Theo says it's too complicated to be secure. Also Linux don't have jail().

If you want more information, browse FreeBSD man pages, avaiable online.

Re:jail != chroot

[lambsonic]

Theo thinks that things can be secure only if he can understand them ?

Well, at least he isn't putting something in the kernel that he doesn't understand. :)

Re:jail != chroot

[kasperd]

Chroot is broken

I disagree with that. But I do agree with the rest of what you wrote. Chroot is not broken, but it is however often used for the wrong job. Chroot is intended to be usefull for some system installation, system maintainance, and some software testing. For those purposes chroot works nicely. But using chroot for security purposes can be broken. Though chroot is not intended to be a security feature, it can in some cases help security. Running a daemon with a different root only helps if the daemon does not run as root, in that case we can prevent it from accessing a lot of devices and suid executables, which could potentially contain root exploits. So chroot cannot keep root inside, but it can help preventing another user inside from finding the root exploit he needs to get out.

Re:jail != chroot

[eg]

> Also Linux don't have jail().

Vserver project for linux does
have an equivalent of FreeBSD jail():

http://www.solucorp.qc.ca/miscprj/s_context.hc

Re:jail != chroot

[jdh28]

Well, duh. Properly securing a system absolutely requires that you understand it completely.

john

Re:jail != chroot

I can't believe no one has mentioned Vserver. It has a similar approach but uses a patched kernel for more security:

http://www.solucorp.qc.ca/miscprj/s_context.hc

Re:jail != chroot

[friscolr]

OpenBSD don't have it - Theo says it's too complicated to be secure

OpenBSD has systrace to restrict system calls, as does NetBSD and it is being ported to linux as well. there exists a systrace implementation on NetBSD which eliminates all setuid/setgid binaries - http://mail-index.netbsd.org/source-changes/2002/1 0/12/0006.html

it almosts seems that secure unix systems want to be capability systems.

Feature Request: RPM Integration

[mbogosian]

The chroot jail looks like a tinkerer's paradise. My only question is how is software installation done for non trivial programs?

From the site:

Now, we are going to install the 'awk' program into the chrooted environment. We need to call the addjailsw script with the -P argument:

/usr/local/bin/addjailsw /var/chroot -P awk

The output for the script will be something like this:

addjailsw
A component of Jail
http://www.gsyc.inf.uc3m.es/~assman/jail/
J uan M. Casillas

Guessing awk args(0)
creating /var/chroot//lib/libc.so.6
Warning: file /var/chroot/lib/libc.so.6 exists. \
Overwritting it
creating /var/chroot//usr/bin/awk
creating /var/chroot//etc/ld.so.cache
Warning: file /var/chroot/etc/ld.so.cache exists. \
Overwritting it
creating /var/chroot//lib/libm.so.6
creating /var/chroot//lib/ld-linux.so.2
Warning: file /var/chroot/lib/ld-linux.so.2 exists. \
Overwritting it

Done.

Again, not to minimize the outstanding work here, but what if I want to create chroot jails for the LAMP class I'm teaching (I'm not really, but this seems like a cool application) so they can all have their own Apache installations? It sounds like chroot will know to move the httpd binary and the required shared libraries, but what about the rest of the admin shell scripts, server root, shared icons dir, mime types file, etc.?

Then what happens if I want to upgrade? My guess is a fair amount of bootstrapping needs to be done in the new root....

What might be really cool is for addjailsw to be RPM-aware so I could do a addjailsw mod_ssl-2.8.7-6 which would get a list of necessary files and package dependencies and install them in the new root and update the RPM DB in the new root as well.

Maybe just wishful thinking....

Re:Feature Request: RPM Integration

[Doc+Assman]

Hello

Yes. This can be the right approach to this. If you have all the packages ready for install into jail, you can jail a whole system :) But when you change the original package, you need to re-package the 'jail' version.

But, lets go one step far: what about to create a script that generates the jail package ? this shouln't be so difficult: jail explores the binary files (and a dry run) in order to extract the 'dependencies' of this file. But you can explicity say what are the dependencies (e.g. you can tell the packager that apache requires the bin/* files, the conf/* files, and the libexec/*, plus all the required libraries (found when jail explores all the binary and library files)

I think on this, it looks useful!. For now, what wants to create a .deb or .rpm packages for jail so it can be included in some distros

Just one problem...

[The+Fanta+Menace]

Although they are a step towards higher security, chroot jails are not infallible.

If there's a security hole in an application, it's still possible for an attacker to get root (but yes, they'll be confined to the chroot environment).

But then, under Linux, at least, the attacked will still be able to mount /proc, if they find a way of getting binaries into the machine, which will enable a number of possible attacks on the machine, by altering stuff under /proc/sys.

It may also be possible for the attacker to create device files (eg, /dev/hda) and write directly to the disk.

So, all in all, even if you're running in a chroot jail, it helps to make sure your apps are running as non-root, if you can. authbind is your friend.

Re:Just one problem...

[Skapare]

You don't need /proc or even a device to get out of chroot. Just hang on to the current directory and move the chroot to a subdirectory below you. Then repeat chdir("..") until you are back at the real root and do chroot(".") and voila, you're out. The code is here.

Re:Just one problem...

[phaze3000]

Chroot jails are not infallible, but they provide considerable extra security.

A good example of this is in the case of BIND9. One starts the name server (as root), which binds to the socket, and then chroots and drops priviliges to that of the named user. If BIND is compromised the attacker finds themself in a chroot jail as user named with only read access to the files they can see.

Chroot-jails do not provide complete protection for programs that run as root (at least not on machines that don't implement the jail() system-call, ie most *nix OSs). They are still, however, extremely useful.

Re:Just one problem...

I can't believe no one has mentioned Vserver. It has a similar approach (chroot) but uses a patched kernel for more security:

http://www.solucorp.qc.ca/miscprj/s_context.hc

The main problem I've had with it is that it was made for RedHat. Since I don't use RedHat I was never able to get it to work right (mainly due to lack of time to mess with it).

That's neat

[SexyKellyOsbourne]

Though it seems like a virtual system, a chroot cell is not totally virtual, and there can still be plenty of comprosmises.

Like usual, all you need is access to a compiler, and you can make a jailbreak. In fact, there's a whole guide to it here:

http://www.bpfh.net/simes/computing/chroot-break.h tml

If the whole jail resided in its own actual virtual Linux machine, where nasty things cannot break the account, just the session, they would be quite a bit more effective.

Re:That's neat

[Skapare]

If the whole jail resided in its own actual virtual Linux machine, where nasty things cannot break the account, just the session, they would be quite a bit more effective.

You can use User Mode Linux to do that.

Re:That's neat

[phaze3000]

If the whole jail resided in its own actual virtual Linux machine, where nasty things cannot break the account, just the session, they would be quite a bit more effective.

You can use User Mode Linux to do that.

Except that UML often gives the attacker enough that they don't need to bother breaking out of it. These days, nine times out of ten, the attacker has compromised your box in order to use it for a DoS net. UML gives the attacker all the tools necessary to do this without any need to break out of it at all.

Re:That's neat

What idiot would give you access to a compiler in a chroot environment ???
Think loud before writing such stupidities ... you are just making remarks to make remarks ... nonsense !

Re:That's neat

[mindstrm]

That's why you filter traffic to/from the instance of UML at the host OS level.

Re:That's neat

I can't believe no one has mentioned Vserver. It has a similar approach (chroot) but uses a patched kernel for more security:

http://www.solucorp.qc.ca/miscprj/s_context.hc

The problem you mentioned has been fixed in Vserver by the way.

Re:That's neat

[gelinas]

The vserver project provides a neat way to
have chrooted process with less capabilities
so they can't break out. For example, they can't
use mknod nor write to /proc. In fact, they can't
mount. So even as root with a compiler, you won't
break the chroot (all the tricks have been tested).

http://www.solucorp.qc.ca/miscprj/s_context.hc

Apache in Jail

This book will teach how to jail apache.

Re:Apache in Jail

Isn't that illegal these days?

Chroot is dumb

This is such a weak idea. What we really need are fine-grained capabilities. Chroot is a very blunt way to implement some vague semblance of that. Check out: http://www.eros-os.org for a system which implements sane security. Chroot is just a band-aid that helps stop the bleeding but doesn't fix anything.

I mean you've got to have a theme.

Note that our 'Jail' software developer has the username 'assman'.

http://www.gsyc.inf.uc3m.es/ ~assman /jail/index.html

Re:I mean you've got to have a theme.

[Doc+Assman]

Yes !

In the beginning, I want to call myself the assembler man, but I have a very poor english at 14' (I'm spanish) and I didn't know what 'ass' means XD. But yes, I'm assman.

Re:I mean you've got to have a theme.

Sooo Assman...
Does your code have any back-doors?

sorry, it had to be said.

Re:I mean you've got to have a theme.

[referee]

Thanks to Assman I sleep at night knowing my daemons are safely locked up.

chmod jail?

[Lord+Bitman]

it would be nice to see, rather than just plain chroot with its own directories and such, a 'chmod jail', which acts as a symlink to other directories (no need to copy libs) yet makes certain alterations impossible for any user (even root)

Re:chmod jail?

Vserver does just that.

Re:chmod jail?

[Lord+Bitman]

That looks cool, but not what I'm talking about. I think there are other projects doing the same type of thing, though those focused only on the experimentation end. I think there was a slashdot article on one, maybe both of the ones I've heard of.

Get out of jail free!

[Skapare]

The chroot environment is trivial to get out of if you're still running as root. Obviously if there's an exploit that lets you get root access even inside a chroot environment, then you can get out of that chroot environment.

The C source code is here.

Re:Get out of jail free!

Use Vserver it uses a patched kernel so you can't do things like what you mentioned.

You don't even need a device.

[Skapare]

You don't even need a device to get out of chroot. See my other comment to this story.

Re: Old but effective

[twoslice]

I have been using chroot for many years, mostly with the big three (Apache bind and sendmail). However, I would never rely solely on chroot for security.

It is rediculous to do a Maxwell Smart and put 10 locks on your front door when the window is wide open. You are always better to rely upon a locked box, inside a locked box, inside a locked box etcetera, Rather than OUMF lock!

OUMF??? you say (new proposed acromyn)...
Just think of Arnie in Predator when he says to the alien "You're one ugly mother f......"

Real jail for Linux

[j7953]

Note that there is a project that attempts to add jail-syscall-like functionality to the Linux kernel: vserver.

I haven't tested it yet, but it looks very promising.

Re:Real jail for Linux

[gelinas]

The vserver projet provides a more general solution
than jail (2 syscalls instead of one). It also builds on
linux capabilities, so you can control the level of
privilege a virtual server has (root in a vserver).
Because of its generality, it was far easier to package
solutions out of it. vserver is already in production today.
Some ASP offers virtual servers to customer.
Quite frankly, once you have tried vservers, it changes the way you work (for the better). Here are some advantage:

• As fast as the native server
  -More secure. A vserver can't break into the root
  server.
  
• A vserver containing a pretty full linux distro uses
  30-40megabytes of disk space.
  
• Cloning a vserver takes one minute. So having
  a production server running side by side with a
  clone so you can test upgrades is easy and safe.
  
• A vserver may be moved from one physical server
  to another without reconfiguration.
  

To say that vserver is promising is ... missleading :-)

Re:Real jail for Linux

[Tack]

I have set this up for use on one of our production servers. I haven't actually deployed the new box yet, but I have had a chance to play with vserver.

The concept is very nice, and in fact the implementation is also quite good. The biggest problem with vservers is the increased administrative overhead. This is of course to be expected, but in some cases it does require you to punch holes in your vservers. For example, I have qmail in a separate vserver, which uses a different /home than the shells vserver. But I have qmail patched to use SMTP AUTH (with TLS of course), but for that to work I must share the passwd and shadow files from the shells vserver. Also, shells users will want access to their .procmailrc and .qmail, so I must mount the qmail vserver /home somewhere so they can access it. You can see that a typical production environment requires several relationships between vservers, which not only increases complexity but decreases security.

Still, the advantages are worth it. Unification (using hardlinks across vservers) is cool. vrpm lets you upgrade/install RPMs on all or selected vservers and lets you unify them after. Unfortunately there's no automated tool to non-RPM files, but that's not too hard to write.

Of course the kernel protection offered in vservers is another big plus that an ordinary chroot won't offer. Processes within vservers don't see each other, and /proc is severely reduced. Users (including root) are bound by capabilities, so for instance you could prevent even root from opening raw sockets.

Vserver is definitely a good security tool.

Jason.

Re:Real jail for Linux

Couldn't you avoid the sharing of a lot of your files such as passwd/shadow by using network services instead of the filesystem? Such as LDAP? That wouldn't require piercing the vserver quite so much.

Re:Real jail for Linux

[Burning1]

To deal with the /etc/passwd problem, you may be able to use somthing like LDAP authentication.

Convert your system authentication over to an LDAP database, install the LDAP PAM libraries, configure qmail for pam -> LDAP authentication, and then connect to your login database over the loopback network connection.

I've never actually done this, but AFAIK it should work.

.... lack of documentation?

[user311]

*
This can be particularly true in the open source world where documentation can often take a back seat to implementation.
*

I dont know to what degree this is meant, but I would never find myself stating this alone. I think open source generally has incredible documentation. The only comparison to open source is closed source, and I don't think there is much of a question of which one is stronger at documentation. Even when I do find closed source documentation, it is rarely verbose enough. Another strong point to open source documentation is that it is only getting better. While most closed source development just leaves release info and install info (often just informing the location of files), open source documentation projects are often an undermovement to projects themselves. I don't deny there are exceptions, like this article and some other projects, systems, etc (particularly very small ones), but if it wasnt for the incredible open source documentation out there, that is so persistently provided that I always expect it, then I wouldnt have ever been able to detach myself from the closed source hells I have been used to.

Re:.... lack of documentation?

[Tomble]

Odd... I use Linux and open source almost exclusively (I have an old Win95 -yes, 95- machine, that gathers dust because I only really keep it for games that I rarely play on it; my current Linux box is single boot), but my own experience of the issue is that way too much open source software has either no documentation (or some microscopic readme that tells you nothing of use), or has documentation that is incomplete .

My own pet grump in this regard is GTK/GDK, where it would appear that they did documentation for 1.0 about 5 years ago, then gave up halfway through, but carried on coding the next version anyway. Now they're on 2.0, and version 1's documentation is still unfinished. True, it's free software, they don't owe me anything, it's not like they're getting payed for it; but it's asking a bit much to expect me to want to use the thing so badly that I'd go out of my way to figure out all the ins and outs of the damn thing, to work out what they, who know all about it could have written down for all the world to see, which would have spared lots of people time that could have been better spent- so I've since given up trying to code stuff with GTK. Yes, having said this, a pretty huge number of people seem to have written things with GTK, but perhaps what they needed had been documented, or perhaps they were far more patient. Perhaps they were more "leet" than me. Who knows.

Now, rant over, don't get me wrong- as I said, that's just an example of how I feel documentation is often dealt with in free software, it's hardly particular to that project. Also, don't anyone go making out that I'm claiming that GTK/GDK is "bad software", because I'm not. I just feel that being told "read the source" is a fscked-up response for people to give when you need documentation.

Oh well, perhaps we're both looking at different software, or maybe I'm just a miserable bugger. shrug

NB-I still prefer free (as in GPL) software

Cue the Fat Boys

[cliffiecee]

In jail, In jail without no bail
In jail, In jail because we failed!

System call policies

[Phactorial]

The Medusa project allows the implementation of system call policies in Linux. Google for it. I think with smart rulesets; chroot and jail are all redundant. For example, denying untrusted user set*id access (toppled by smart fileaccess privileges) renders most "security" attacks useless for that user (he cannot cause any real damage other than DoS, which can also be stopped by implementing thread/fork timers for that user).

Re:System call policies

You should check out systrace.

It supports very comprehensive policy creation to determine which system calls are allowed for a specific application. You can actually create your policies on the fly. A graphical popup will inform you about potential policy violations.

You can use it to restrict access to the file system, or allow only certain users to connect to the network or accept network connections, etc.

It is a great tool to improve the security of your system and available for GNU/Linux, NetBSD and OpenBSD.

virtual users

[corz]

I would like to implement a chroot system but I would rather not have to add users to /etc/passwd.

Does anyone know of a similar method that can authenticate users out of a virtual user database?

Re:virtual users

[Hobophile]

Not knowing the specifics of your goal, I can only suggest that you explore various PAM modules, e.g. pam-mysql. If you don't want users to have shell access -- say, they are users of a mail system or some such -- then you probably don't even need to use PAM.

I personally run an apache/postfix/courier-IMAP/pure-ftpd server where all users are stored in a MySQL database. Courier-IMAP and Pure-FTPd both query the database directly, and Postfix does SASL-based SMTP authentication. SASL uses IMAP to perform the authentication, which ties it back to the same database. Users can upload web pages to an appropriate directory, which I manually direct Apache to serve as a specific website. Pure-FTPd handles the chrooting itself.

If you are free to choose the programs you will be running to support a specific task, you should be able to find one that supports MySQL-based virtual users without too much hassle.

Is IA32 any less secure?

Hi all. I may be remembering incorrectly but I think I heard that there existed assembly level vulnerabilities specifically for IA32 (x86) CPUs running certain OSs. In other words, there are CPU hardware design flaws that a user can exploit via certain asm instructions in order to gain privilege to the OS. This would be a roughly similar concept compared to the way an attacker can find a way to gain a UID 0 shell and then break out of chroot. Is this possible, or just urban legend?

If this is possible, then this would diminish the value of even kernel level ACLs on files and processes. For example, grsecurity and LIDS.

BTW I just followed the instructions listed in another comment in this discussion in order to break out of my own chroot instantly. Wow. :-/ Well at least it's still fine as long as there's no way to gain UID 0 privilege inside a chroot, such as if the network daemon runs as non-UID0 and there are no userspace tools in the chroot.

Re:Is IA32 any less secure?

[dan_bethe]

Hi all. I may be remembering incorrectly but I think I heard that there existed assembly level vulnerabilities specifically for IA32 (x86) CPUs running certain OSs. In other words, there are CPU hardware design flaws that a user can exploit via certain asm instructions in order to gain privilege to the OS. This would be a roughly similar concept compared to the way an attacker can find a way to gain a UID 0 shell and then break out of chroot. Is this possible, or just urban legend?

Hey can someone mod this up? I've searched google and various security sites about this and can't confirm an answer.

chmod is nice...

[Squidgee]

But, it's not perfect. As stated by another user, it's the equivilant of putting 10 padlocks on the door, but leaving the window wide open. Here is an article about how easy it is to break chroot in a CGI based server.

So, while chroot may be good, do not rely on it soley for security.

Re:MIT course teaches chroot jails

far to much time...

Well set up?

[mmol_6453]

If it's vulnerable, doesn't that usually mean that it's not set up well?

Re:Well set up?

It doesn't make things less vulnerable, it just makes the attacker unable to break anything except the app being chrooted.

Re:Well set up?

[phaze3000]

Except that it may well be vulnerable because of an undisclosed bug in the program that is being chrooted.

This has been taken even further

[whynot]

A bunch of people have taken the ideas of isolating programs or users into jails even further. Take a look at this site.

plan9 can't

[DrSkwid]

no superuser = nothing to compromise

File access is via a dedicated server

Authentication for file access to the fileserver is from a dedicated server.

Users log into a third group of machines - CPU servers.

Local access means nothing. You can't escalate your privileges because there are none to escalate to.

Re:plan9 can't

You're missing the point. Two simple compromises that'll work with local access:

- Yanking 2 Drive from a RAID 5 array will compromise the system.
- If it's running on commodity PC hardware, you can use a Windows98 bootdisk with a Hex Editor installed to do whatever you want to the Filesystem (And even if the bootorder is restricted in BIOS and password protected, you can crack the case and reset this)
- If the filesystem is mountable on linux (and I don't know if Plan9 is) you can use a Slackware install CD as a sophisiticated bootdisk with a shitload of tools.
- (And my personal favorite) pouring beer on the MoBo.

Granted, only two out of four of these methods allow you to access/modify data, put it's still trivial if you have physical access.

Re:plan9 can't

Granted, only two out of four of these methods allow you to access/modify data, put it's still trivial if you have physical access.

use encrypted file systems. then the only effective attacks will be DoS and Rubber-hose.

Cool project, but would like more features

I would like to see chroot jails become a more regular part of the OS.

User Mode Linux is going in the right direction with this.

But what I think we really need is a versioning file system. Rather than creating new copies of system files for each jail, such a file system could provide each jail with a read-only copy of original system files. Any modifications to those files would be versioned-out and specific to that jail.

Is anything like that being worked on?

"Chroot jails made easy"

[malkman]

At last! A solution to our overcrowded prison system!

Or so I thought.

SECURITY IS NOT ABSOLUTE!

[mcrbids]

I've been using ~assman's chroot for some time. In fact, it works with SSH and various other programs because of feedback I did with the project owner.

Yeah, chroot is not absolute. Neither is anything else. But, it's a great way to make sure that your clients don't see anything they aren't supposed to.

Combine chroot with SSH-only connections, and you have a real step in the area of security and/or privacy.

Again, read the subject, SECURITY IS NOT ABSOLUTE! But any step you make to prevent unwanted activity is a step in the right direction. Enough thwarting of "bad" behavior means the black hat will quit or look elsewhere, and that means you've won.

Security is not about absolutes; it's about risk management. Only idiots think that something is "secure" or it's "not". Chroot is a valid tool in the direction of more secure.