[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: End of bind-chroot-admin script



On Mon, Nov 10, 2008 at 01:34:23PM +0100, Adam Tkac wrote:
> Chroot is good and traditional method how restrict daemons. Many users
> still use it and it is far more easy create chroot configuration than
> create/maintain SELinux policy. I don't think SELinux obsoletes
> chroot, both try restrict daemon privileges and both have + and -.

chroot isn't a security feature. It helps for some non-root cases but there
are ways out of chroots and there are all sorts of fun things that can be
used to escape a chroot in the right circumstances.

Its also inadequate for some forms of attack. If I can persuade your named to
run code of my choice in a chroot without selinux then I can still use your
box as a spam machine, botnet host, DoS attack tool, proxy, etc .. all without
breaking the chroot.

In the SELinux case a lot of those actions will hit SELinux denials.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]