[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Jailkit-users] Beginner Question - Security consequences of use chr
|
From: |
Olivier Sessink |
|
Subject: |
Re: [Jailkit-users] Beginner Question - Security consequences of use chroot |
|
Date: |
Mon, 14 Jan 2008 12:32:22 +0100 |
|
User-agent: |
Thunderbird 2.0.0.6 (X11/20071022) |
Kevin Hilton wrote:
> I posted a question in Ubuntu forums to see what others would say
> about running a linux jailkit in terms of security risks:
> http://ubuntuforums.org/showthread.php?t=658621
as long as your users do not have root permissions inside the jail, a
jail will block a lot of possibilities for malicious users, but not all.
You need to combine that with filesystems with 'noexec' and a limited
shell and more, and even that will not stop everything. However, a lot
of automated attacks are stopped by such measures.
A lot of commercial security appliances use chroot (and several large
companies even use Jailkit to do this!), so I think that shows you that
it does add another layer of security.
But I agree, maintaining proper access rights is *always* important. But
chroot jails do more than just stopping users from reading/writing to
files outside the chroot:
Many attacks use exploits local available binaries, if these binaries
are not in the jail, the attack is stopped. Many attacks try to download
and execute scripts or install binaries. If there is no script
interpreter, and the user has only write access to an area that is
mounted with 'noexec' the attack is stopped.
So chroot jails *do* help. But they are just an extra layer of security,
not a total solution.
regards,
Olivier
p.s. feel free to post this to the forum, I'm curious what the responses
are.