[sf-lug] chroot

Michael Paoli Michael.Paoli at cal.berkeley.edu
Fri Sep 28 05:50:34 PDT 2007

*Properly* implemented, chroot can be a quite effective security tool.

chroot is *not* an adequate defense against UID 0 (superuser, a.k.a. 
"root") - most any basic *NIX security book will tell you that -
there are just too many ways that UID 0 is an exception and isn't
restrained in the manners applicable to all other UIDs, that it's far
too easy for UID 0 to break out of a chroot environment.

Yes, it requires UID 0 to invoke chroot, but UID 0 can 
setgid(2)/setuid(2), and can do so within chroot, and done so
properly, that dropping of UID 0 privilege is quite effectively
irrevocable by the PID (and thus, once done properly, *and* done
properly in a properly secured chroot environment, chroot can then be
quite secure).

Again, some good security references will generally tell one at least
the basic dos and don'ts of a chroot environment.

Though not a guarantee against ignorance and stupidity, some OS 
flavors include utilities (e.g. the BSDs' jail) to make it a bit 
easier to set up a properly secured chroot environment - and at least 
in some cases, to also add some additional security enhancements to 
that environment.

Quoting Christian Einfeldt <einfeldt at gmail.com>:

> On 9/27/07, Christian Einfeldt <einfeldt at gmail.com> wrote:
> >
> > heh, here is a /. article which talks about chroot as a security
> weakness,
> > if I am reading the summary correctly.  I haven't read the story yet.
> >
> > http://it.slashdot.org/it/07/09/27/2256235.shtml
> >
> hmm, but the comments are trashing the assertion that chroot is insecure...
> because chroot requires root access!

More information about the sf-lug mailing list