[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Jailkit-users] Beginner Question - Security consequences of use chr

From: Olivier Sessink
Subject: Re: [Jailkit-users] Beginner Question - Security consequences of use chroot
Date: Mon, 14 Jan 2008 12:32:22 +0100
User-agent: Thunderbird (X11/20071022)

Kevin Hilton wrote:
> I posted a question in Ubuntu forums to see what others would say
> about running a linux jailkit in terms of security risks:
> http://ubuntuforums.org/showthread.php?t=658621

as long as your users do not have root permissions inside the jail, a
jail will block a lot of possibilities for malicious users, but not all.
You need to combine that with filesystems with 'noexec' and a limited
shell and more, and even that will not stop everything. However, a lot
of automated attacks are stopped by such measures.

A lot of commercial security appliances use chroot (and several large
companies even use Jailkit to do this!), so I think that shows you that
it does add another layer of security.

But I agree, maintaining proper access rights is *always* important. But
chroot jails do more than just stopping users from reading/writing to
files outside the chroot:

Many attacks use exploits local available binaries, if these binaries
are not in the jail, the attack is stopped. Many attacks try to download
and execute scripts or install binaries. If there is no script
interpreter, and the user has only write access to an area that is
mounted with 'noexec' the attack is stopped.

So chroot jails *do* help. But they are just an extra layer of security,
not a total solution.


p.s. feel free to post this to the forum, I'm curious what the responses

reply via email to

[Prev in Thread] Current Thread [Next in Thread]