local root ~= remote root (it doesn't have to be)

Posted Nov 30, 2003 22:49 UTC (Sun) by Ross (guest, #4065)
In reply to: local root ~= remote root by ncm
Parent article: Debian.org compromise update

I agree with what you are saying in that people generally discount
local exploits as unimportant when they really are. However I disagree
that they all but guarantee remote root access.

Personally I run all services as non-root users chroot()ed to a directory
with no executables or libraries and which is mounted with nosuid and
nodev and no proc mounted. (I wish that the kernel provided a way to
remove process capabilities, but it only allows to you give portions of
root access to non-root users. I know I could use LSM but that's getting
overly complicated.)

(That's not to say I don't sometimes take additional precautions. For
example my firewall has no suid or sgid executables.)

Except for kernel bugs I find it unlikely that a remote user could
exploit a buggy service running as a non-root user in order to obtain
root access -- even with buggy userspace binaries installed.