[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Hurdish applications for persistence
From: |
Espen Skoglund |
Subject: |
Re: Hurdish applications for persistence |
Date: |
Wed, 12 Oct 2005 13:50:18 +0200 |
[ams ]
> It is not true that "chroot is insecure on all platforms".
> All UNIXoid platforms. There are several ways to break out of a
> chroot on them.
> If you are looking for an alternative, one that works and is
> actually used around the world, have a look at BSD jails. They
> provide a more thorough encapsulation than chroot.
> BSD jails use chroot AFAIK.
Yes. Jail uses chroot. It also adds a lot of more restrictions and
is often used to confine larger subsystems. From [1]:
================================================================
Processes running with root privileges in the jail find that there are
serious restrictions on what it is capable of doing -- in particular,
activities that would extend outside of the jail:
+ Modifying the running kernel by direct access and loading kernel
modules is prohibited.
+ Modifying any of the network configuration, interfaces, addresses,
and routing table is prohibited.
+ Mounting and unmounting file systems is prohibited.
+ Creating device nodes is prohibited.
+ Accessing raw, divert, or routing sockets is prohibited.
+ Modifying kernel runtime parameters, such as most sysctl settings,
is prohibited.
+ Changing securelevel-related file flags is prohibited.
+ Accessing network resources not associated with the jail is
prohibited.
Other privileged activities are permitted as long as they are limited
to the scope of the jail:
+ Signalling any process within the jail is permitted.
+ Changing the ownership and mode of any file within the jail is
permitted, as long as the file flags permit this.
+ Deleting any file within the jail is permitted, as long as the file
flags permit this.
+ Binding reserved TCP and UDP port numbers on the jails IP address is
permitted. (Attempts to bind TCP and UDP ports using INADDR_ANY will
be redirected to the jails IP address.)
+ Functions which operate on the uid/gid space are all permitted since
they act as labels for filesystem objects of proceses which are
partitioned off by other mechanisms.
================================================================
In short, some of the most (AFAIK) most important features is that
jail prevents processes from accessing hardware directly, and it
prevents processes from binding to arbitrary IP addresses. In some
ways a jail is more akin to a Solaris Zone or a virtual machine.
eSk
[1] http://docs.freebsd.org/44doc/papers/jail/jail.ps.gz
- Re: Memory management and garbage collectors, (continued)
- Re: Memory management and garbage collectors, Neal H. Walfield, 2005/10/17
- Re: Mmemory management and garbage collectors (was: Re: Using Hurd features, Jonathan S. Shapiro, 2005/10/17
- Re: Using Hurd features (was: Re: Hurdish applications for persistence), Jonathan S. Shapiro, 2005/10/12
- Re: Using Hurd features (was: Re: Hurdish applications for persistence), ams, 2005/10/12
- Re: Using Hurd features (was: Re: Hurdish applications for persistence), Jonathan S. Shapiro, 2005/10/12
- Re: Using Hurd features (was: Re: Hurdish applications for persistence), ams, 2005/10/12
Re: Hurdish applications for persistence, Marcus Brinkmann, 2005/10/11
Re: Hurdish applications for persistence, Marcus Brinkmann, 2005/10/12
Re: Hurdish applications for persistence, Alfred M\. Szmidt, 2005/10/12
Re: Hurdish applications for persistence, Marcus Brinkmann, 2005/10/12
Re: Hurdish applications for persistence, Jonathan S. Shapiro, 2005/10/12
Re: Hurdish applications for persistence, Marcus Brinkmann, 2005/10/13
Chroot and "..", Jonathan S. Shapiro, 2005/10/13
Re: Chroot and "..", Marcus Brinkmann, 2005/10/13
Re: Chroot and "..", Jonathan S. Shapiro, 2005/10/13
Re: Chroot and "..", Derek Davies, 2005/10/13