On Wed, Oct 10, 2007 at 11:30:14AM -0500, Larry Becke wrote:
> chroot'ing should not be used as a security method, that's been clearly
> stated time and again.


oh boy. it's statement like these that i've spent half this past week
rebutting people on LWN and LKML.

chroot can and should be used WHERE PRACTICABLE, and with other methods.
Just because root can break out of chroot, doesn't mean chroot cannot be
used for security. It only means that use of chroot as a security measure is
almost entirely useless WHEN THE PROCESS MUST HAVE root privileges. It's
utility is also diminished by other circumstances, like kernel bugs and
other extravagant (though often common) ways to circumvent a chroot jail.
Like any security measure, chroot is not unique in this regard. And like
almost _all_ security measures, the tool needn't have been intended
primirily or even originally to be used that way. At the end of the day lack
of security isn't about not using enough security devices, its about using
regular tools insecurely. Period.

How people can think that hacking up a user-land program to parse and
normalize arbitary string paths from hostile users is more secure than
intelligently employing chroot.... I cannot understand this.... The exposure
that the instrumentalities of chroot to arbitrary input is so much
restricted in comparison, because the kernel.... do I even need to
explain....

Note I'm not arguing about the scp modification; this is more about the
off-the-cuff remark about chroot.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/li...enssh-unix-dev