Josh Trutwin writes: > A little bit of searching tells me that this is a security risk. > Does anyone here know anything more about this? I saw somewhere > googling that it is possible using a 2.4.x kernel to make a "more > secure /proc filesystem" but they didn't say how. It is only insecure if the kernel has security holes in the /proc filesystem code. > Does anyone have opinions on the security a chroot jail provides for > login accounts? I've seen stuff like this on the web and it makes me > a little antsy: http://www.bpfh.net/simes/computing/chroot-break.html > but it's better than just giving full system access I guess. It provides more security because you only have to worry about the security of the kernel and not all of the setuid programs that are normally installed with the OS. That page is merely an explanation of what should be common knowledge: chroot does nothing to protect against root. If a chroot jail has no setuid binaries, then the only way to get root is through a kernel security hole. A non-privileged user cannot break out of a chroot jail. You might look at FreeBSD's jail: http://docs.freebsd.org/44doc/papers/jail/jail.html http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=2 http://www.freebsd.org/cgi/man.cgi?query=jail&sektion=8 > Also, do people make /dev in their chroots? If so, how? They might. Devices are created as normal using mknod(2). Your OS might have a script like /dev/MAKEDEV that does this for you. -- David Phillips <david at acz.org> http://david.acz.org/ _______________________________________________ TCLUG Mailing List - Minneapolis/St. Paul, Minnesota http://www.mn-linux.org tclug-list at mn-linux.org https://mailman.real-time.com/mailman/listinfo/tclug-list