Simplicity is useful

Posted May 20, 2009 17:40 UTC (Wed) by sfink (guest, #6405)
In reply to: Simplicity is useful by job
Parent article: Seccomp and sandboxing

I agree, chroot + setuid is one of the most successful models out there -- assuming you're measuring success by popularity. If you factor in effectiveness, on the other hand, I was under the impression that it's a disaster.

setuid is good, but privilege escalation flaws are not that hard to come by. And once you have root privileges, chroot is no longer a security mechanism, it's just a convenient filesystem remapping trick. Nothing prevents you from creating your own special device and mounting the entire filesystem within your chroot jail. And that's only one of many, many ways to escape chroot.

to post comments

Simplicity is useful

Posted May 20, 2009 18:32 UTC (Wed) by dlang (guest, #313) [Link]

if you assume that privilage escalation exploits are everywhere, nothing less than a fully locked down SELinux system can do you any good (and note that _no_ distro is shipping a _fully_ locked down SELinux system)

if privilage escalation exploits are not everywhere then chroot is much stronger.

and even though it's not as strong as other security mechanisms could be, the fact that those other mechanisms aren't used makes them pretty useless

however, I will disagree slightly with chroot being the most successful model, I'll point out that it builds on the basic unix user/group permissions, and I would call _that_ the most successful model

Simplicity is useful

Posted Jul 17, 2009 22:44 UTC (Fri) by job (guest, #670) [Link]

Nothing is a security mechanism against privilege escalation flaws in the mechanism itself. That's what appeals to me with seccomp, it should be possible to be made secure, as opposed to complex stuff such as LSM- or SELinux-arbitrated access control.