[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
RE: [Jailkit-users] Automated rsync jail creating program
From: |
b . c . jansen |
Subject: |
RE: [Jailkit-users] Automated rsync jail creating program |
Date: |
Tue, 6 Dec 2005 09:13:58 +0100 |
Well... True :( damn you for bursting my bubble lol... I'll rephrase it
into a lot harder to break then a root jail on 1 file system which has full
acces rights :P
Greets,
Bas
-----Original Message-----
From: Olivier Sessink [mailto:address@hidden
Sent: donderdag 1 december 2005 21:29
To: address@hidden
Subject: Re: [Jailkit-users] Automated rsync jail creating program
Bas Jansen wrote:
> Hey everyone again,
>
> I managed to get this in a working prototype where 1 of the scripts
> initiates a jailcreation and gives me a /bla/alb/ which contains a
> /dev /usr /bin /lib and /home, i then change the /home to /data (tho
> this isnt really necessary). Create a 1LVM block large FS (37 meg
> default atm) and mv the /bla/alb/* files to there and run a mount
> --bind -r /chroot on it after i made it a file system.
>
> A other script is able to then make this all into ready to go rsync
> jails by adding a user to regular /etc/passwd, remounting /chroot as
> rw and changing the /etc/passwd there, then remounting it to read only
> and mounting the entire /chroot as a bind mount on /your_root/user.
> Then i use a shared storage disk and mount it on /your_root/user/data
> (the new home), this mount is RW, noexec, nosuid, nodev.
>
> By doing this all (tho it may seem paranoid) i am convinced i have
> created a ready to go unbreakable root jail even tho it runs several
> processes as root.
>
> If any of you have any requests or questions feel free to post them
> and i may be able to put them in release 0.1 still :)
I wouldn't call it unbreakable, but it sure makes it very difficult. The
/lib/libc.so. still contains the chroot() system call. If you can make one
of the binaries do that system call you escape from the jail. It's a
theoretical issue, but "unbreakable" claims a lot ;-)
regards,
Olivier
_______________________________________________
Jailkit-users mailing list
address@hidden
http://lists.nongnu.org/mailman/listinfo/jailkit-users