> Properly set permissions don't protect against access by root.
> Most services you would desire to protect by chroot()ing them
> run as root.
If your service is running as root, then running in a chroot jail does
not buy you very much. Root can break out of a chroot jail fairly
trivially by making a few chroot and chdir calls of its own. That's
why it's important to make sure your service drops root priveledges.
I suppose you might be able to get away with it as long as you don't
have any compilers, or low-level interpreted language engines (perl,
python), and no way for attackers to ftp out or whatever to bring in
their own binaries, but even still, nature will find a way :). If
your service is capable of dropping root priveledges, it needs to do
so, because the only thing chrooting a process running as root gets
you is a little time, and a false sense of security.
~ Daniel Jarboe
________________________________________________________________
The best thing to hit the internet in years - Juno SpeedBand!
Surf the web up to FIVE TIMES FASTER!
Only $14.95/ month - visit www.juno.com to sign up today!
This archive was generated by hypermail 2.1.3 : Fri Aug 01 2014 - 17:21:47 EDT