I've snipped some stuff out of both sides.
At 09:58 AM 12/11/00 +0000, Matthew Byng-Maddick wrote:
>On Sun, 10 Dec 2000, Gunther Birznieks wrote:
> > At 03:33 PM 12/10/00 +0100, Stas Bekman wrote:
>
> > For example, perhaps the mod_perl server and the HTML/images server should
> > be separately chrooted from each other? That way, someone who breaks the
> > dynamic script won't be able to mess with the frontpage of the website to
> > deface it assuming the hacker could get around permissions issues within
> > the chroot jail.
>
>Why do you need the proxy server to be chrooted at all? what does that
>gain you. After all if apache is insecure, you can break out of the
>chroot()ed jail anyway.
If Apache is insecure it's not necessarily possible to break out of the
chrooted jail. It depends on if the part of Apache that grabs the socket is
insecure which is a tiny part of Apache.
Apache itself is large and complex and if you are talking about a front-end
server, you are talking about having at minimum mod_proxy, mod_rewrite and
maybe even mod_backhand. These modules are not trivial code but breaking
them wouldn't allow someone to break out of the chroot jail with root
privileges.
> > BTW, OT Question on the subject -- does anyone know if /chroot/etc/shadow
> > necessary once the chroot jail is in effect? The author creates a shadow
>
>Well, you've lost if you break root inside a traditional chroot() (as
>opposed to FreeBSD4's jail() -
>1) attacker can mknod() (and can therefore attack kmem.
>2) attacker can call chroot()
> - int j; mkdir("./bin"); chroot("./bin");
> for(j=0;j<PATH_MAX;j++) chdir(".."); chroot(".");
Doesn't this require the root ID in order to issue .. chroots? I may be
misunderstanding this portion of your statement.
>In which case the shadow file can be there. What isn't there is a way to
>get root (any suid programs or similar). You hope. :)
I agree that it's an important point to make is that any binary copied to
the chroot jail should not be suid root as that would allow a point of attack.
