[CentOS] /bin/su wont work inside a chroot?
JohnS
jses27 at gmail.com
Mon Aug 2 04:30:12 UTC 2010
On Sun, 2010-08-01 at 17:41 -0700, Gordon Messmer wrote:
> On 08/01/2010 01:44 PM, JohnS wrote:
> > It *WILL* work It is called "Outside to In"&& mount -o bind will also.
>
> You previously described symlinking "out" to the root filesystem, which
> is impossible. Symlinks cannot resolve to files outside of a chroot
> environment. Hard links can.
lol
> It is, however, possible to create a symlink in the primary root
> filesystem which points to a file inside a tree used for chroot, if that
> is what you mean by "outside to in". In that case, your previous post
> was simply unclear.
Correct yes.
> > The difference depends on what is exactly the person needs. IE (which
> > way). It will also allow a "Jail Break" Out& In. So security goes out
> > the window. In effect Zero Day here we are.
>
> Symlinks do not allow you to break out of a chroot. In fact, chroot
> isn't a security mechanism. chroot will confine any non-root process,
> but any root process can escape a chroot simply by setting its cwd to
> the root directory and then calling chroot() to any directory. The
> process will then have a cwd outside its own root filesystem, and can
> access the filesystem outside of the path it was originally using as its
> chroot.
Most people choose to refer to chroot as a secure means of running a
service which is simply not true. It is known in the past that non root
services can jail break out and can break into the jailed root. The
only good I have ever seen from chroot is building a OS from the ground
up. It will only ever be as secure as the person configuring it.
> The term "zero day" normally describes a software exploit which was not
> previously known. I don't believe it applies to anything you described.
True and there are new ones every day don't be fooled. What good is the
bind service running in a chroot when you get cache poisoned? Your
patches up to date? That may not even help.
John
More information about the CentOS
mailing list