chroot or jail?
Mark
admin at asarian-host.net
Thu Apr 1 07:45:21 PST 2004
----- Original Message -----
From: "Kris Kennaway" <kris at obsecurity.org>
To: "Mark" <admin at asarian-host.net>
Cc: <freebsd-questions at freebsd.org>
Sent: Thursday, April 01, 2004 10:47 AM
Subject: Re: chroot or jail?
> > Hello,
>
> > I am setting up a new Apache 1.3.29; and I was wondering, should I use
> > jail or chroot to secure it? I know root can potentially break out of
chroot.
> > But what about jail? (FreeBSD 4.9R-p3). Can you break out of a jail?
>
> No [1], that's the point :)
Well, we all know how things are meant to work. I mean, you're not supposed
to be able to break out of a chroot either; yet this is still possible (some
fchdir exploits with open directory file descriptors pointing outside the
chrooted environment). So, I reiterate my question, do such exploits exist
for jail too?
I particularly ask because of the chroot ability of mod_security (1.75). It
chroots Apache, after having started it up. Neat trick. But my suspicious
nature (not necessarily a bait trait in a system administrator) wonders how
breakout-proof that method really is. Especially since Apache keeps quite a
few file descriptors open, pointing outside the chrooted environment. So, I
was contemplating that I am perhaps better off jailing Apache (with a real
jail call), instead of chrooting it.
Cheers,
- Mark
More information about the freebsd-questions
mailing list