Chw00t: Breaking Unices’ chroot solutions

I think chroot <i>can</i> be used as one piece in a defense-in-depth security scheme.<p>I think it is incorrect to make a blanket statement that chroot cannot be used to increase security at all.<p>Further, I think all of the &quot;root needed&quot; exploits (most of them) are irrelevant. If you have root, who cares about defeating a chroot on that system ? You&#x27;re already root.<p>Finally, I note that the systems I use chroot on (FreeBSD) have almost zero vulnerability (see table on slide 27).

Interesting discussion:<p><a href="https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;252794&#x2F;" rel="nofollow">https:&#x2F;&#x2F;lwn.net&#x2F;Articles&#x2F;252794&#x2F;</a><p>which links to here:<p><a href="http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20071011110715&#x2F;http:&#x2F;&#x2F;kerneltrap.org&#x2F;Linux&#x2F;Abusing_chroot" rel="nofollow">http:&#x2F;&#x2F;web.archive.org&#x2F;web&#x2F;20071011110715&#x2F;http:&#x2F;&#x2F;kerneltrap....</a><p>which further makes the point that chroot is not now and has never been a member of the &quot;security tool&quot; universe.<p>AIUI, containers <i>are</i> meant to be secure against processes (and, therefore, users) that want to get out, so if you care about that, use those, instead.

I don&#x27;t know if I&#x27;m using this tool incorrectly or if Docker containers contain any measures against what it tries.<p>On a machine running Linux 4.2.7 and a container created with Docker 1.9.1, the tool either failed with an error or said it had broken out but the root was still inside the container.<p>Modes &#x2F; Result:<p>* -0 &#x2F; no error, root still inside container<p>* -1 &#x2F; no error, root still inside container<p>* -2 &#x2F; no error, root still inside container<p>* -3 &#x2F; error, &quot;error mounting chroot: Operation not permitted&quot;<p>* -4 &#x2F; error, &quot;error creating block device: No such file or directory&quot;<p>* -5 &#x2F; error, &quot;error creating $nestdir&quot;<p>* -6 &#x2F; not tested<p>* -7 &#x2F; error, &quot;error attaching process&quot;<p>* -9 &#x2F; no error, root still inside container

Since Slideshare is completely broken, this is available in PDF form (along with more) at <a href="https:&#x2F;&#x2F;github.com&#x2F;earthquake&#x2F;chw00t" rel="nofollow">https:&#x2F;&#x2F;github.com&#x2F;earthquake&#x2F;chw00t</a>

Eh, this is sort of silly in some respects. chroot is not meant to be a security mechanism (yes, I know the presentation mentions this). The limitations are well known in the OS community. With that said, I agree that many developers mistake chroot&#x27;s real purpose.<p>Solaris, in particular, offers a far superior solution with zones.

When I clicked this link, apparently SlideShare did some automatic voodoo with my LinkedIn cookie and now there&#x27;s a public slideshare profile page with my name on it that I cannot delete or unpublish :(

&#x27;unices&#x27; is the plural of unix? TIL.

go go netbsd