Recent Features
| |||||||||||||
Surrender?Surrender?Posted Jun 1, 2012 17:10 UTC (Fri) by jmorris42 (subscriber, #2203)Parent article: Re: /tmp on multi-FS set-ups, or: block users from using /tmp?
> shell == root
If shell == root and fork(2) == shell then fork(2) == root. That means any ability to execute code outside a sandbox == root so just forget about the whole notion of security. No. I'm not Pollyanna or anything but I'm not quite that cynical.
(Log in to post comments)
Surrender? Posted Jun 1, 2012 17:20 UTC (Fri) by hummassa (subscriber, #307) [Link]
You should be (that much cynical). Once you break from the first jail, you are free, because you can break from the second, and third, and scale privileges, etc. Either you are inside the sandbox or loose. There is nowhere "in the middle".
Surrender? Posted Jun 1, 2012 18:07 UTC (Fri) by Cyberax (✭ supporter ✭, #52523) [Link]
That's pretty much true. Normal Linux user accounts can become root or kernel easily - local kernel exploits are published about once a year and probably quite a number of unpublished exploits exist.
So yes, your only hope is to contain untrusted code inside of a sandbox. And even that is non-trivial - just ask Google.
|
|||||||||||||