Michael.Paoli at cal.berkeley.edu
Fri Sep 28 05:50:34 PDT 2007
*Properly* implemented, chroot can be a quite effective security tool.
chroot is *not* an adequate defense against UID 0 (superuser, a.k.a.
"root") - most any basic *NIX security book will tell you that -
there are just too many ways that UID 0 is an exception and isn't
restrained in the manners applicable to all other UIDs, that it's far
too easy for UID 0 to break out of a chroot environment.
Yes, it requires UID 0 to invoke chroot, but UID 0 can
setgid(2)/setuid(2), and can do so within chroot, and done so
properly, that dropping of UID 0 privilege is quite effectively
irrevocable by the PID (and thus, once done properly, *and* done
properly in a properly secured chroot environment, chroot can then be
Again, some good security references will generally tell one at least
the basic dos and don'ts of a chroot environment.
Though not a guarantee against ignorance and stupidity, some OS
flavors include utilities (e.g. the BSDs' jail) to make it a bit
easier to set up a properly secured chroot environment - and at least
in some cases, to also add some additional security enhancements to
Quoting Christian Einfeldt <einfeldt at gmail.com>:
> On 9/27/07, Christian Einfeldt <einfeldt at gmail.com> wrote:
> > heh, here is a /. article which talks about chroot as a security
> > if I am reading the summary correctly. I haven't read the story yet.
> > http://it.slashdot.org/it/07/09/27/2256235.shtml
> hmm, but the comments are trashing the assertion that chroot is insecure...
> because chroot requires root access!
More information about the sf-lug