Posted Jan 7, 2010 7:18 UTC (Thu) by jimparis (subscriber, #38647)
Parent article: The isolate utility
From the homepage:
"isolate currently suffers from some bad security bugs! These are local root privilege escalation bugs. Thanks to the helpful person who reported them (email Chris if you want credit!). We're working to fix them ASAP, but until then, isolate is unsafe and you should uninstall it. Sorry!"
No surprise -- the method, as inspired by DJB, is bound to fail:
"· Prohibit new files, new sockets, etc., by setting the
current and maximum RLIMIT_NOFILE limits to 0.
· Prohibit filesystem access: chdir and chroot to an
· Choose a uid dedicated to this process ID. This can
be as simple as adding the process ID to a base uid,
as long as other system-administration tools stay away
from the same uid range.
· Ensure that nothing is running under the uid: fork a
child to run setuid(targetuid), kill(-1,SIGKILL),
and _exit(0), and then check that the child exited
· Prohibit kill(), ptrace(), etc., by setting gid and uid
to the target uid.
· Prohibit fork(), by setting the current and maximum
RLIMIT_NPROC limits to 0.
· Set the desired limits on memory allocation and other
· Run the rest of the program."
The policy of "run the program, but limit it from performing these specific bad actions" only works if you're 100% sure you covered everything bad. Forget one thing, or one new kernel feature or anything else, and you've lost...