[Cialug] Locking your keys in the car

Thu Nov 29 08:23:31 CST 2007

Yes, Alan Cox is right.  If you are root, you can break out of the
chroot in all sorts of fun ways.  He is also right that chroot is not a
security tool.

The telephone is also not a security tool.  However, almost every home
security system uses the telephone to alert the monitoring station when
there are problems.  The entire system fails if a burglar is smart
enough cut the phone wires before burgling a house.

The good news in both situations is that the vast majority of burglars
and malware authors are lazy.  (Some of them are also stupid, but
laziness is the key factor here.)  When you have a security system in
place, a burglar may come by and scope out your house.  They may still
look in your windows, and see how nice your stuff is.  However, if your
stuff is comparable to your neighbor's and your neighbor doesn't have a
security system, who do you think the burglar will burgle?

Chroot is similar.  Any day your system may be attacked by any number of
attackers.  The vast majority of these are automated and looking for
specific results.  Since most daemons are chrooted, these automated
attack tools tend to not include code to break out of chroot, so the
scan fails and reports that your system is not vulnerable.  So, the
attackers move on the next vulnerable server and attack that one.

At this level, it's not about outrunning the bear.

However, to get at the heart of Alan Cox's point, the entire game
changes when you go from being a general target to a specific one.  If a
burglar wants to get into YOUR house, they can get it.  If the bear
doesn't care about your friend, and wants to eat YOU, odds are it will. 
It doesn't matter what system you have in place, there are many many
ways to get in:

* You can cut the phone line and pick the lock
* You can put on a uniform, rent a white van, and cut down a tree to
land on the corner of the house.  Look "official" when you walk inside.
* You can know when the owners are on vacation and use a chain saw to
cut a hole in the back wall.
* You can get hired as a cleaning service

etc etc etc

Similarly, if someone wants into your system, odds are you can get in:

* You can break chroot in many ways
* You can reset both basic and extended permissions
* You can install a root kit
* You can use social engineering to get valid credentials

etc etc etc

So, the point that Alan Cox makes can be better stated as "Do not rely
on chroot alone to secure a poorly coded application."  My point can be
better stated as "Use chroot to reduce risk and buy you time to deploy a
defense in depth strategy".

Security is not about easy answers, it's about choosing the most bang
for your buck in an iterative approach to slowly improve the protection
of your assets.  Chroot has a lot of bang for very little buck.  The
hard part is to not stop there.

Another thing you can do is to not taunt the bear.  *grin*

-Josh More, RHCE, CISSP, NCLP, GIAC 
 morej at alliancetechnologies.net 
 515-245-7701

>>> "Chris Freeman" <cwfreeman at gmail.com> 11/29/07 12:20 AM >>>
On Nov 28, 2007 5:15 PM, Josh More <morej at alliancetechnologies.net>
wrote:

> that jail.  For systems that don't work this, look into use chroot to
> jail specific dangerous daemons.
>
>
Perhaps our resident security experts can clear up something for me.
Alan
Cox says (http://kerneltrap.org/Linux/Abusing_chroot):

chroot is not and never has been a security tool. People have built
things based upon the properties of chroot but extended (BSD jails,
Linux
vserver) but they are quite different.

So, is chroot a valid tool to use to jail dangerous daemons? It would
seem that the kernel folks say no. But that's the only context I've
heard anyone talk about chroot in.

Chris