Professional Documents
Culture Documents
DISCLAIMER:
Chroot command and chroot system call might sound like a good security
measure - one command executed and plain old UNIX "cd /" no longer
certain conditions are met. In this paper we will analyze what chroot
on the UNIX system command line one sees that the new root is now
located within your new root). Chroot shell command changes the root
directory for a process, goes into this directory and then starts a
Chroot command uses a chroot() system call. The command and the system
command, chroot() call does not change your working directory to the
-----------------
chroot (argv[1]);
chdir ("/");
-----------------
As will be seen further, it will allow for easy chroot jail breaking.
anonymous ftp server, one has used chroot. Ftp server chroots itself
into a special directory upon the anonymous ftp login. DNS (Domain
pages. Web servers can be run chrooted too. Smap secure email wrapper
from FWTK firewall tool kit runs chrooted to the mail spool directory.
spool (such as mqueue), user's home directories (to check for .forward
is separated into spool daemon and mail transfer program (like done in
and: http://archives.neohapsis.com/archives/sf/linux/2001-q4/0197.html
sometimes the benefits are unclear, especially for daemons that run as
Second, the number of ways that root user can break out of chroot is
huge. Starting from simple use of a chroot() call with no chdir() [see
(http://www.big.net.au/~silvio/runtime-kernel-kmem-patching.txt),
attackers.
---------------
#include <stdlib.h>
#include <stdio.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
int main(void)
int i;
mkdir("breakout", 0700);
chroot("breakout");
chdir("..") ;
chroot(".");
execl("/bin/sh", "/bin/sh",NULL);
escape.
--------------
privileges right after calling chroot() call (like in the code below),
there is no way to gain root shell or perform actions that only root
software uses chroot for security the sequence of calls should be:
---------------
chdir("/home/safedir");
chroot("/home/safedir");
setuid(500);
---------------
Keep in mind, that after these lines are executed there will be no way
Fourth, in some cases attackers might not be able to break (i.e. run
for logging bind messages into the regular system logs. By crafting a
malicious log message and sending it into /dev/log from within the
(sshd, telnet with a root account within chrooted directory) does not
will prevent an attacker from reading files outside the chroot jail
and will prevent many local UNIX attacks (such as SUID abuse and /tmp
race conditions).
This is an updated author bio, added to the paper at the time of reposting in 2009.
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in the
field of log management and PCI DSS compliance. He is an author of books "Security
Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy II", "Information
Security Management Handbook" and others. Anton has published dozens of papers
on log management, correlation, data analysis, PCI DSS, security management (see list
www.info-secure.org) . His blog http://www.securitywarrior.org is one of the most
popular in the industry.
In addition, Anton teaches classes and presents at many security conferences across
the world; he recently addressed audiences in United States, UK, Singapore, Spain,
Russia and other countries. He works on emerging security standards and serves on
the advisory boards of several security start-ups.
Currently, Anton is developing his security consulting practice, focusing on logging and
PCI DSS compliance for security vendors and Fortune 500 organizations. Dr. Anton
Chuvakin was formerly a Director of PCI Compliance Solutions at Qualys. Previously,
Anton worked at LogLogic as a Chief Logging Evangelist, tasked with educating the
world about the importance of logging for security, compliance and operations. Before
LogLogic, Anton was employed by a security vendor in a strategic product
management role. Anton earned his Ph.D. degree from Stony Brook University.