jailkit-users
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [Jailkit-users] Automated rsync jail creating program

From: b . c . jansen
Subject: RE: [Jailkit-users] Automated rsync jail creating program
Date: Tue, 6 Dec 2005 09:13:58 +0100 
Well... True :( damn you for  bursting my bubble lol... I'll rephrase it
into a lot harder to break then a root jail on 1 file system which has full
acces rights :P

Greets,
Bas  

-----Original Message-----
From: Olivier Sessink [mailto:address@hidden 
Sent: donderdag 1 december 2005 21:29
To: address@hidden
Subject: Re: [Jailkit-users] Automated rsync jail creating program

Bas Jansen wrote:
> Hey everyone again,
> 
> I managed to get this in a working prototype where 1 of the scripts 
> initiates a jailcreation and gives me a /bla/alb/ which contains a 
> /dev /usr /bin /lib and /home, i then change the /home to /data (tho 
> this isnt really necessary). Create a 1LVM block large FS (37 meg 
> default atm) and mv the /bla/alb/* files to there and run a mount 
> --bind -r  /chroot on it after i made it a file system.
> 
> A other script is able to then make this all into ready to go rsync 
> jails by adding a user to regular /etc/passwd, remounting /chroot as 
> rw and changing the /etc/passwd there, then remounting it to read only 
> and mounting the entire /chroot as a bind mount on /your_root/user. 
> Then i use a shared storage disk and mount it on /your_root/user/data 
> (the new home), this mount is RW, noexec, nosuid, nodev.
> 
> By doing this all (tho it may seem paranoid) i am convinced i have 
> created a ready to go unbreakable root jail even tho it runs several 
> processes as root.
> 
> If any of you have any requests or questions feel free to post them 
> and i may be able to put them in release 0.1 still :)

I wouldn't call it unbreakable, but it sure makes it very difficult. The
/lib/libc.so. still contains the chroot() system call. If you can make one
of the binaries do that system call you escape from the jail. It's a
theoretical issue, but "unbreakable" claims a lot ;-)


regards,
        Olivier


_______________________________________________
Jailkit-users mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/jailkit-users
reply via email to
[Prev in Thread] Current Thread [Next in Thread]