on Fri, Nov 29, 2002 at 11:19:04AM +0100, martin f krafft ([EMAIL PROTECTED]) wrote: > just found this in my logs, after installing djbdns via > djbdns-installer (FHS) and starting it through svscan. > > albatross kernel: grsec: Attempted fchdir outside of chroot to root > by (dnscache:29264) UID(105) EUID(105), parent (supervise:24861) > UID(0) EUID(0) > > what is it doing? i don't know much about djbdns yet, so maybe you can > shine a light on that...
Not sure if you ever got a response on this. IIRC, recent (current?) Linux Magazine has an article on chroot jails. It includes a number of ways in which they can be broken out of, though most of these require root access within the chroot itself. Putting your chroot jail on a filesystem without dev or suid permissions can help limit these exploits further, and is yet another reason for creating multiple filesystems and mounting them with permissions appropriate, and adequate, but no more than this, for the job at hand. Chroot is a good tool, but like much else, it's an additional level of protection, not a silver bullet. -- Karsten M. Self <[EMAIL PROTECTED]> http://kmself.home.netcom.com/ What Part of "Gestalt" don't you understand? Geek for hire: http://kmself.home.netcom.com/resume.html -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
