What chroot() is really for
Posted Oct 4, 2007 17:12 UTC (Thu) by wahern
Parent article: What chroot() is really for
The advice to not use chroot() for "security" is just plain wrong. "Security" involves innumerable facets of programming. To say that because something doesn't address all of them simultaneously, and thus shouldn't be used at all, is... I can't even begin to describe how wrong that advice is. The proper way to use chroot() in a security-conscious application is:
How simple is that? Is it fool-proof? Of course not. Neither is a program which fixes all of its out-of-bound memory accesses perfectly secure. But that doesn't mean one should counsel people not to fix the bugs.
One of the best rules of thumb in writing secure software is minimization: minimize the resources used; minimize the resources available; minimize privilege; minimize, minimize, minimize. chroot() fits perfectly into that paradigm.
When people starting thinking that its better to run a daemon inside VMWare because somebody suggests chroot() is useless shows just how misleading that advice was (and running VMWare isn't exactly minimization, either, when you consider you're adding millions of lines of code to your software stack). Just because unplugging your computer from the network is "more secure" than having an internet connection doesn't mean its either practical or even advisable. chroot() is practical and useful for enhancing the security profile of a Unix application, period.
That novice and ignorant programmers fall short of proper and sufficient use is neither a new phenomenon, nor reason alone to give such misleading advice.
to post comments)