[Techtalk] Re: Server was hacked into; looking for tips on how to secure it

Raven Alder raven at oneeyedcrow.net
Mon Mar 3 15:18:15 EST 2003 

Heya --

Quoth Alain Tesio (Mon, Feb 24, 2003 at 08:47:49PM +0100):
> Hi, some advertisement for a script I wrote, makejail which automatizes almost all
> usual things you need to do to build and update a chroot jail, like finding which
> librairies are used, which config files it needs, ...
> http://www.floc.net/makejail/
> There are some debian packages in unstable and testing.

	That's very cool and useful.  Thanks for posting the link!
 
> > 	The real kicker is the logs.  If you keep them in the chroot
> > jail, any attacker that can become the Apache user can likely monkey
> > with the logs.
> 
> > If you put them out of the jail, that makes it a lot easier to break the jail.
> 
> Can you explain this ?

	Sure.  One common mistake that I've seen in chroot environments
is for someone to install a chrooted daemon in (say) /chroot.  Then they
want to make sure that they log out of the jail so an attacker that
compromises that one daemon can't hose their logs.  So they'll install a
non-chrooted log managing program in the chroot jail, and tell it to log
to /var/log rather than /chroot/var/log or some such thing.  Then the
daemon user gets compromised, executes the log manager process and
breaks out of it into a shell, and whammo, no more jail.

	If you're going to have a chroot jail, daemons runnable from
within that jail should be chrooted to that jail, and should not run as
root.  Otherwise you're just asking for it.  If you want to manage logs
both within and without the jail, have your log manager program outside
of the jail.  Nothing from the inside of the jail should indicate that
there is anything outside of the jail.

	More on chroot breaking:

http://www.bpfh.net/computing/docs/chroot-break.html

Cheers,
Raven
 
"One more day of work and you should be ready for testing here."
"Uh.  Testing.  Right.  Of course."
  -- nervous-making conversation from consulting
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk

More information about the Techtalk mailing list