[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chroot() break



Olli Artemjev <olli@metaltelecom.org.ru> writes:

> On Wed, 23 May 2001, Will Backman wrote:
> > Are there any chroot jails that are not?
> Seems no any yet. But somthing is MUCH better then NOTHING. I see NOTHING
> in Open BSD currently.

I don't think any of you know what you are talking about.

Show how a regular user can break out of a chroot in OpenBSD and you will
be famous.

But don't talk about root being able to break out of chroot. Soon someone will
also start rambling about being able to compromise the root account by stealing
the hardware.

We are not going to add a huge amount of complexity to the kernel (and by
that introduce new bugs) just to circumvent something that's more or less
a central design decision, just because some other operating system announced
widely that they closed the most known possibility of breaking chroot while
leaving 20 other untouched.

There is no need for having someone with root powers inside a chroot. If there
is a need then the system with that need has much more serious design problems.

> Also I would like to see an analouge to Linux
> www.openwall.com patches (I mean non-executable stack) for BSD
> _kernels_. But again I see NOTHING. ;(

This has also been discussed. Read the archives.

OpenBSD is not claiming to have the highest amount of "security" features
(which in itself is pretty contradicting), OpenBSD is claiming to have the
least amount of security critical bugs.

If you are looking for features to play with, this is the wrong system.

//art

> > Will Backman
> > Coastal Enterprises, Inc.
> > On Wed, 23 May 2001, pokemon wrote:
> > > 	hi!
> > > 	it's wellknown that obsd's chroot() is
> > > 	breakable.
> > > 	so i wonder is the development team going to
> > > 	fix this "feature"?
> > > 	thanks.
> > > 	// poke_mon
> -- 
> Bye.Olli
> MISiS Telecommunications
> phone:   +7(095)955-0087