[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chroot() break

On 24 May 2001, Artur Grabowski wrote:
> > On Wed, 23 May 2001, Will Backman wrote:
> > > Are there any chroot jails that are not?
> > Seems no any yet. But somthing is MUCH better then NOTHING. I see NOTHING
> > in Open BSD currently.
> I don't think any of you know what you are talking about.
I think I know.

> Show how a regular user can break out of a chroot in OpenBSD and you will
> be famous.
I'm not about this.

> But don't talk about root being able to break out of chroot.
Why should I stop with this? I don't think that I should just shut up. I
just tried to point you that this would be approsiated by end users. 
Thouse that install Open BSD on their servers. & think that jail
implementation port from Free BSD to Open BSD would be a good thing.

> Soon someone will
> also start rambling about being able to compromise the root account by
> stealing the hardware.
:) Please don't try to use sphistic samples. =)

> We are not going to add a huge amount of complexity to the kernel (and by
> that introduce new bugs) just to circumvent something that's more or less
> a central design decision, just because some other operating system announced
> widely that they closed the most known possibility of breaking chroot while
> leaving 20 other untouched.
I agree that there're other ways on breaking chroot by root user. But why
then not to stop them all. :/

> There is no need for having someone with root powers inside a chroot. 
> If there is a need then the system with that need has much more serious
> design problems.
Agree, but what about bugs in daemons droping priveledges to ordinary
users? Them are opening time to time anyway. & when this shit happen OSes
with more protection layers win. Am I wrong? :? & take a look from other
point of view - we're the OS end users. More - we are admins preferring
Open BSD due to security reasons. & we all would like too see this
"future" in the kernel. Think there're many folks around who will vote for

> > Also I would like to see an analouge to Linux
> > www.openwall.com patches (I mean non-executable stack) for BSD
> > _kernels_. But again I see NOTHING. ;(
> This has also been discussed. Read the archives.
Ohh.. OK. Probably I'll. 
> OpenBSD is not claiming to have the highest amount of "security" features
> (which in itself is pretty contradicting), OpenBSD is claiming to have the
> least amount of security critical bugs.
That's why we use it too.

> If you are looking for features to play with, this is the wrong system.
Ok-ok.. I'll continue using linux with latest security patches & shut up
about the Open BSD development. Agree. Lets forget all above. ;/ Sorry for
a noise on the list. ;|

MISiS Telecommunications
phone:   +7(095)955-0087