On Sun, 2010-08-01 at 17:41 -0700, Gordon Messmer wrote:
On 08/01/2010 01:44 PM, JohnS wrote:
It *WILL* work It is called "Outside to In"&& mount -o bind will also.
You previously described symlinking "out" to the root filesystem, which is impossible. Symlinks cannot resolve to files outside of a chroot environment. Hard links can.
lol
It is, however, possible to create a symlink in the primary root filesystem which points to a file inside a tree used for chroot, if that is what you mean by "outside to in". In that case, your previous post was simply unclear.
Correct yes.
The difference depends on what is exactly the person needs. IE (which way). It will also allow a "Jail Break" Out& In. So security goes out the window. In effect Zero Day here we are.
Symlinks do not allow you to break out of a chroot. In fact, chroot isn't a security mechanism. chroot will confine any non-root process, but any root process can escape a chroot simply by setting its cwd to the root directory and then calling chroot() to any directory. The process will then have a cwd outside its own root filesystem, and can access the filesystem outside of the path it was originally using as its chroot.
Most people choose to refer to chroot as a secure means of running a service which is simply not true. It is known in the past that non root services can jail break out and can break into the jailed root. The only good I have ever seen from chroot is building a OS from the ground up. It will only ever be as secure as the person configuring it.
The term "zero day" normally describes a software exploit which was not previously known. I don't believe it applies to anything you described.
True and there are new ones every day don't be fooled. What good is the bind service running in a chroot when you get cache poisoned? Your patches up to date? That may not even help.
John