[lug] preventing malicious scripts

Gus Huber gus at pbx.org
Fri Sep 7 16:24:34 MDT 2001 

On Fri, Sep 07, 2001 at 03:09:55PM -0600, D. Stimits wrote:
> One of the good-side notes from the article mentions that several root
> exploits require access to suid root programs, and the chroot
> effectively removes that access. So even though root can do nasty
> things, it becomes harder to gain root. Plus there are all kinds of
> files that are just no longer available until chroot is broken...a
> chicken-and-egg thing for the attacker. chroot isn't perfect, but it is
> a strong aid.

I agree that chroot is a very effective manner of limiting access.  I am just saying it is necesecary to ensure that the application drops root privelages immediatly after issuing the chroot();  Most of the attacks described are kernel specific where you as root would create a kenrel memory device ( and in os's where memory access is denied the attacker would be SOL - see the secure levels in freebsd for an example of this ).  Once the attacker has access to all memory in the machine the attack is trivial.. I have seen packages that do it, none which were ever publicly release however.  It is true you would not be dealing with your every day script kiddies, but presuming they got that far in the first place they probabaly have half a brain enought to dig up the information.

Under FBSD there is a more effective option called a jail, which is like a chroot but also has limited access to all syscalls which require super() privelages.  It also is limited to the ip space bound to the jail.

Again I would like to make clear that while not foolproof, chroot is an extremely effective tool for hardening security on your out of the box systems.  if you are looking for much more security I suggest investigating trusted unix operating systems such as Argus Systems trusted solaris, and any os's which impliment Mandatory Access Control.  

Also of interest is libcap for linux.  it takes advantage of the capabilities in linux which allow you to fine tune privelages processes have with a non-root uid.. you can allow a proces for example to only have the root-like capability to bind to raw sockets and nothing else... it is a very effective way to limit access...

	cheers,
		gus huber <gus at pbx.org>

More information about the LUG mailing list