Re: Chroot bug — Linux Kernel

On Wed, 26 Sep 2007 13:34:53 +0200
Miloslav Semler <[email protected]> wrote:

> Alan Cox napsal(a):
> >> but many program use this as security feature. So do you think that bind 
> >> may use vserver?
> >>     
> >
> > It would be a lot stronger if it did. A bind running non-root will be
> > probably safe. A bind running as root can be attacked and break out of a
> > chroot trivially. I guess it depends how you run bind.
> >   
> but not bind with selinux. It can chroot, but not  does other things. So 
> there is an question: Why we do not fix it. Tell me please some other 
> reason than "you can workaround chroot other ways".

If you are using SELinux you don't need chroot for the security in the
first place you can use labels and LSM modules can also handle things
like ptrace which permit trivial escapes.

Alan
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to [email protected]
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

References:
- Re: sys_chroot+sys_fchdir Fix
  - From: "Philipp Marek" <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: David Newall <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: Philipp Marek <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: David Newall <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: Bill Davidsen <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: David Newall <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: "Serge E. Hallyn" <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: David Newall <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: "Serge E. Hallyn" <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: David Newall <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: "Serge E. Hallyn" <[email protected]>
- Re: sys_chroot+sys_fchdir Fix
  - From: David Newall <[email protected]>
- Chroot bug (was: sys_chroot+sys_fchdir Fix)
  - From: David Newall <[email protected]>
- Re: Chroot bug (was: sys_chroot+sys_fchdir Fix)
  - From: Alan Cox <[email protected]>
- Re: Chroot bug
  - From: David Newall <[email protected]>
- Re: Chroot bug
  - From: Alan Cox <[email protected]>
- Re: Chroot bug
  - From: David Newall <[email protected]>
- Re: Chroot bug
  - From: Alan Cox <[email protected]>
- Re: Chroot bug
  - From: David Newall <[email protected]>
- Re: Chroot bug
  - From: Alan Cox <[email protected]>
- Re: Chroot bug
  - From: David Newall <[email protected]>
- Re: Chroot bug
  - From: Alan Cox <[email protected]>
- Re: Chroot bug
  - From: Miloslav Semler <[email protected]>

Prev by Date: Re: Chroot bug
Next by Date: Re: sys_chroot+sys_fchdir Fix
Previous by thread: Re: Chroot bug
Next by thread: Re: Chroot bug
Index(es):
- Date
- Thread

[Index of Archives] [Kernel Newbies] [Netfilter] [Bugtraq] [Photo] [Stuff] [Gimp] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux RAID] [Video 4 Linux] [Linux for the blind] [Linux Resources]