When Not to Use chroot

Hyena writes "Linux guru Alan Cox is quoted as saying 'chroot is not and never has been a security tool' in a KernelTrap article summarizing a lengthy thread on the Linux Kernel mailing list. The discussion began with a patch attempting to 'fix a security hole' in the Unix chroot command, trying to improve the ability of chroot to contain a process. When it was pointed out that people have been using chroot as a security tool for years, another kernel hacker retorted, 'incompetent people implementing security solutions are a real problem.' A quick search on the terms 'chroot+security' quickly reveals that many people have long thought (wrongly) that chroot's purpose was for improving security."

misleading...

[onemorehour]

This summary is truly and terribly misleading--the discussion simply says that a root user can break out of a chroot jail. Is this news? chroot can still be effectively used to contain processes that do not run as root.

Re:Not for security use?

[cperciva]

If chroot didn't require root privileges, the following exploit would be possible:

1. Create ~/etc/master.passwd with an empty root password.
2. Hard link /usr/bin/su to ~/usr/bin/su. (Yes, you can create hard links to files which you don't own.)
3. Copy /bin/sh, /bin/chmod, and the necessary libraries to the corresponding places under ~.
4. chroot ~ /usr/bin/su root /bin/chmod 4555 /bin/sh
5. ~/bin/sh is now an unrestricted root shell.

Re:Then what is it for?

[larry+bagina]

Actually, Bill Joy invented chroot as a hack to use a custom /usr/include directory in a compiler that didn't support alternate include paths.

Re:For daemons that don't run as root

[TheRaven64]

Yes you can. As I said, you launch them with:

# chroot directory su nobody daemon

This will chroot into directory, and run daemon as the nobody user. As long as the version of su inside your jail doesn't have any security holes, you will be fine. If you don't trust it, I've written a modified version of chroot, which calls setuid() and setgid() to a named user and group before executing the named process. This eliminates the need for a working su inside the chroot, typically removing the need for any setuid programs in the chroot.

Just because you can only run a command as a superuser doesn't mean that all of the child processes of that command have to be run as the superuser. If this were the case, since init runs as root you would not have a multiuser system.

Re:misleading...Re:Asshole Stereotype

[visualight]

I think his comment was directed specifically at people who do not have enough understanding to implement a security solution on linux but think they do. Would the same comment coming from an official MS authority on security make you not want to use Vista?

Anyway, I do understand the perspective behind your reaction, but it doesn't fit in this specific case.

Citation

[BobKagy]

Actually, Bill Joy invented <tt>chroot</tt> as a hack to use a custom /usr/include directory in a compiler that didn't support alternate include paths.

http://blogs.sun.com/chrisg/tags/chroot

Dr. Marshall Kirk Mckusick, private communication: ``According to the SCCS logs, the chroot call was added by Bill Joy on March 18, 1982 approximately 1.5 years before 4.2BSD was released. That was well before we had ftp servers of any sort (ftp did not show up in the source tree until January 1983). My best guess as to its purpose was to allow Bill to chroot into the /4.2BSD build directory and build a system using only the files, include files, etc contained in that tree. That was the only use of chroot that I remember from the early days.''

Re:Not for security use?

[kocsonya]

> Apparently, you don't know what a hard link is.
>
> You haven't created a file owned by root. You've created an i-node pointing to the
> data blocks of a file owned by root.

No, you didn't.
You created a directory entry pointing to the i-node of the file which is also pointed
by the 'sh' entry in the /bin directory file. In addition, the reference count in the i-node has been bumped up by 1. One file is one i-node and that inode contains the owner, permission and timestamp info as well as the disc blocks that the file uses. For all practical purposes the file and the i-node are the same thing. A dir entry contains a name for the file and a pointer to the inode. There can be as many dir entries in different directories to the same file as you wish. The i-node also contains a reference count of how many dir entries point to it. When you rm a file, it will remove the dir entry and decrement the refcount in the i-node. When the refcount reaches 0, the file is actually deleted (actually it will only be deleted if it is not open at the time, but that's a separate issue).

You can delete a hard link to a file owned by anyone if you have write permission on the directory that contains a link:

zoltan@gep:~> ln /bin/bash foo
zoltan@gep:~> ls -l foo
-rwxr-xr-x 2 root root 572200 2005-09-10 03:43 foo
zoltan@gep:~> rm foo
rm: remove write-protected regular file `foo'? y
zoltan@gep:~>

On the other hand, if you try it in /tmp:

zoltan@gep:~> cd /tmp
zoltan@gep:/tmp> ln /bin/bash foo
zoltan@gep:/tmp> ls -l foo
-rwxr-xr-x 2 root root 572200 2005-09-10 03:43 foo
zoltan@gep:/tmp> rm foo
rm: remove write-protected regular file `foo'? y
rm: cannot remove `foo': Operation not permitted
zoltan@gep:/tmp>

The reason for that strange behaviour is this:

zoltan@gep:/tmp> ls -ld /tmp /home/zoltan
drwxr-x--- 114 zoltan users 16248 2007-09-28 14:23 /home/zoltan
drwxrwxrwt 32 root root 3176 2007-09-28 14:25 /tmp

The /tmp can be written by anyone. Note the 't' at the end of the permissons of /tmp: that is the sticky bit. Normally, if you have write permission on a directory, you can add, delete and rename files in that directory, no matter who actually owns those files (since you do not want to touch the file, you only change the directory file, which you have right to). If the sticky is set, however, an entry can only be removed (or, for that matter, renamed) by the owner of the file pointed by that entry. This is actually a trick (kludge, if you like) to solve the problem that sometimes you need to be able to create files in a common place (e.g. lock files) but you must not let anyone but the owner delete them and the basic UNIX acces right model is not enough for that. One such place is /tmp, an other prominent example is /var/lock. Since creating a hard link is to insert an entry to the directory file you can do it in such a directory - anyone can add entries, as the directory is word-writable. However, if the sticky is set, you can only remove (or rename) an entry if the i-node pointed by that entry is actually owned by you - which is not the case with /bin/bash. It is not because /bin/bash is owned by root, it is because it is not owned by you. It has nothing to do with the i-nodes or hard links, but the way the sticky bit works, which was a really neat trick to solve a problem, but it has this side effect.

Is it a bug? Well, it's certainly a feature... Is it a security problem? I don't know, I am no security expert, but I haven't heard of an exploit based on links and the sticky bit yet.

Re:Or is it?

[h4rm0ny]

as well as removing all the advice that's currently around to chroot processes, if chroot isn't actually for security.

Well a good place to start would be at http://en.wikipedia.org/wiki/Chroot because one of the first things I did when this article came up was to double-check my understanding of chroot right there. FTFW:

This provides a convenient way to sandbox an untrusted, untested or otherwise dangerous program. It is also a simple kind of jail mechanism.

Re:Or is it?

[Rigrig]

By the time I read your comment someone already fixed the Wikipedia entry:

This is often misunderstood to be a security device, used in an attempt to sandbox an untrusted, untested or otherwise dangerous program, as if chroot was a working jail mechanism.