Contributed by jose on from the as-seen-on-Slashdot dept.
"OpenBSD recently changed the mode of operation for the Apache webserver from the normal non-chrooted operation to chrooted operation. This enhances the security of the server on which Apache is run but it imposes a few challenges to the system administrator.Very cool, Marc, glad to see someone is showing others how to make use of this feature while still serving up complex content. Thanks!
In this article Marc Balmer discusses selected aspects of running a chrooted HTTP daemon and present strategies on how to set up a chrooted environment for more complex applications like database access or using CGI-scripts."
(Comments are closed)
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Grsecurity enforces some extra (non standard) stuff. Why is this needed? That's not what chroot should be used for!
Comments
By Dries Schellekens () on
By Anonymous Coward () on
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
Once you chroot, your / becomes what you chrooted to, since that's what's supposed to happen. They seem to think that if you call chroot("/") inside the new root you'll go back to the system's root, which is just plain wrong.
They should at least check with stat that the device and inode for / go back to the original ones or something.
Maybe they just like the ego boost of seeing all those PASSED for their system and FAILED for the others, by testing non-bugs and "fixing" them.
Comments
By Anonymous Coward () on
Either way, their testing isn't worth much.
Comments
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
No, I wasn't. Do you have any URLs? Anyway, I guess those are attacks against a buggy chroot implementation, not the chroot concept.
Comments
By tedu () on
Comments
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
And what does that has to do with being able to chroot twice? Sounds like fixing the wrong bug. "Someone" was not supposed to get root in the chroot to begin with.
If user foo wants to slowly chroot into /home/foo/very/long/path/to/chroot/environment one subdir at a time, fine. He will only get more and more restricted as he goes deeper. But if he can suddenly find a root exploit in there it's a completely different problem.
Comments
By nother () on
most of their tests want uid(0) anyway to execute test-exploit-whatever
By boredom () on
They have quite a bit of animosity towards others, which just seems lame in the world of open source. I can understand the religious wars, and the battles over license choices. In their case, they just seem bitter because other people get more credit than they do, and borrow ideas from them, without using their specific implementation.
I guess that would be fine in the commercial world, but just seems wrong when you're already trying to support other 'communal' systems.
Comments
By Anonymous Coward () on
beef with ;-). so, in order of mentioning:
1. beef with OpenBSD: if there's anything like that then it's probably because of the apparent
discrepancy between what OpenBSD actually provides (we're talking about 'security' here) and what
people at large think it does. the chroot stuff (some of which works as non-root as well, mind you)
is just one of the many, whether you (the public at large) know about it or not. since this difference
is positive (public assumes more than reality), there must be some propaganda going around here,
don't you think?
2. beef with others: nothing with Solar Designer, in case you missed the joke, it was referring
to people who mistook PaX with his non-exec stack patch over the years. Dr. Cowan is associated
with Immunix, not Trustix (last i checked at least) and they're well known in the industry for
delivering (or not) on time ;-). if and when you read Dr. Wheeler's HOWTO, i'd like to know what
you think about it (the parts mentioned), in particular the unmistakable (and not justified) bias
towards StackGuard and downplaying others.
3. animosity towards others: any evidence for this?
4. bitterness about (lack of) credits: really, do you think it matters? i mean, if we had
cared about it, couldn't we have spread our own propaganda all these years? there're enough forums
for computer security after all (both on-line and off-line), it wouldn't have been hard to spam
them. but it didn't happen, and the reason for that is very simple: our software spreads by word of
mouth (i.e., based on its own merits), not propaganda (i.e., not based on perceived merits).
5. as for the "bitter because [...] borrow ideas from them, without using their specific
implementation": any evidence for this? also, how about (the lack of) crediting the ideas
themselves in the first place? you put it well when you said: it "just seems lame in the world of
open source".
6. finally, cheer up please, April Fool's got its name for a reason, only the fool gets fooled... ;-)
By Anonymous Coward () on
By awk fu () on
By tedu () on
http://www.bpfh.net/simes/computing/chroot-break.html
By Bebop () on
Comments
By Anonymous Coward () on
It still has a while to go before it is a secure os.
--billy
Comments
By Henr () on
By nother () on
By Anonymous Coward () on
It's not just double-chroots anymore (as some would believe).
The regression "tests" are merely "tests", not exploits. They test enough to prove that a particular exploit could be launched on the given OS. (And the exploits do exist)
You might want to check your facts for once instead of repeating your "OpenBSD is secure" mantra.
Comments
By Anonymous Coward () on
Most OpenBSD daemons chroot to /var/empty and drop priviligdes.
Comments
By Anonymous Coward () on
By tedu () on
By Dries Schellekens () on
If you don't want these system calls inside the chroot, use systrace to disable them.
GR Security has these restrictions by default, so what! OpenBSD can too.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Now, if we all stopped sitting around with our balls in our hands saying "my software is the best for everyone and everything!" and spent that time making better software, writing better documentation, and presenting things better (I saw no "about" page on the grsecurity site, so finding quick information as to what it actually did was a little more difficult) we could all have better software and a better understanding of how that software works.
Oh well, this is getting long and I am getting into that "Why can't we just get along!" sort of mood. So have a great day, and I look forward to looking for more information on these subjects and possibly trying the software you have written.
Comments
By Anonymous Coward () on
Comments
By Anonymous Coward () on
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
Now _that's_ some prejudice, heh? Are you from USA? I mean, that would explain the arrogance.
I've just noticed in your site that grsecurity is a security patchset for Linux. That may also explain your attitude against OpenBSD.
BTW, while I was browsing your site with Konqueror and tried to view the slides of that second paper in the list, the page complained that it was optimized for a newer version of Internet Explorer... weird!
By Anonymous Coward () on
Comments
By Anonymous Coward () on
Theo has mentioned in atleast one email to misc@ and probably other places that they do not disable everything because a system that has everything disabled *is* useless. They want a secure but usable system.
There have been times they have something working one way, do not see a change as worthwhile, and then change later down the road when they have the time and motivation to work on it or something comes out to change their minds. Maybe if someone shoved enough proof in front of them they could or would fix whichever bugs are being exploited.
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
Can you provide an example of how one would go about breaking out of a chroot by using a semaphore or shared memory? This really sounds like some random rant without facts, so please provide some evidence, I'm really curious here.
> ... depending on the root privileges that exist within the chroot.
Which should be none. :)
Comments
By Anonymous Coward () on
Shared memory can be used to break out of a chroot as non-root. It's common for non-root apps to be run as the same uid (usually "nobody"). You need to target some shared memory in use outside the chroot by the same user. Apache is a good target on systems where apache isn't chrooted, but other apps are. Simply shmget the shared memory (the key can be pre-determined or bruteforced). The shared memory can be marked as private, it doesn't matter to the exploit. All that is left is to shmat() the shared memory shmget() returned the id of, and write to it. Since you're dealing with raw memory, there is no way the application using the shared memory can't be exploited, since even if it were to do bounds checking every time it accessed anything from the shared memory (which is never done) there are race conditions involved. So, overflow an integer, lengthen a character array...you control the process outside of chroot. And thanks to OpenBSD's incomplete and ineffective non-executable protections (remember, on i386 it's still only a non-exec stack) you can execute code in the shared memory. Game over.
Was that a random rant without facts?
Comments
By Anonymous Coward () on
I tought OpenBSD ran every service as another uid?
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
OK, so considering that OpenBSD runs every daemon as its own uid, this point is bogus.
And I doubt OpenBSD could be blamed for every poorly coded daemon the user chooses to run which does not ensure proper checking of its shared resources, like memory segments. Can you exploit such a situation in an OpenBSD full install (no ports, obviously)?
Comments
By Anonymous Coward () on
Ok, fine, let's assume no one adds any 3rd party software to their OpenBSD box, and leaves it as the useless default install with only OpenSSH running. OpenSSH's empty non-root chroot can still be broken. How you ask? Because of exactly the thing you talk about...."OpenBSD runs every daemon as its own uid." This is very true. Their "privilege separation" pipes all connections to ssh through a single non-root user. Hack your own connection, you own that user. ptrace the other processes, you can grab everyone else's passwords, including root. How's that, sir? You can continue to blindly defend OpenBSD, but the facts are out there for people who want to know the truth.
Comments
By Anonymous Coward () on
Maybe make a temporary hotmail account where I may contact you?
I suppose this is not possible, as I will have no way to ensure you will be the person who will reply.
Comments
By grey () on
This sounds like the same fellow of most grsecurity posts. Just check their forums for a bit and you can reason who it might be judged from writing style.
My guess is this is spender/Brad Spengler since he seems to be the moderator for all the forums there, his addy is spender@grsecurity.net. Alternatively, you could try writing dev@grsecurity.net and see what happens, since that's listed there.
It's hard to say without a name attached, he might not have any official affiliation with the project. I don't with OpenBSD, but debating things doesn't require that after all.
Anyway, I must say that Fábio Olivé Leite has been doing quite a job in attempting to ellicit more detail from someone who seems happy to throws his hands up in the air in exasperation without affording extensive details. I appreciate that, since efforts like Fabio's can raise the bar of everyone's awareness, even when the person pointing faults isn't giving complete information.
This all does seem a little odd, since I never interpretted chroot as being much of a security feature. Looking at the GRSecurity modifications to chroot - it definitely looks neat, but what it has in relation to a traditional Unix(tm) chroot is beyond me. Other folks who have done extensive jailing have chosen different names in the end like jail, or TPE.
I do see some validity to pointing out wariness to a false sense of security that some might have with OpenBSD. I just don't agree with the assumption that OpenBSD developers and users actually believe that they're really guaranteed security.
I've never seen an OpenBSD developer (or at least not Theo) ever claim that OpenBSD was the most secure OS. Security is certainly a goal, and a pretty loftily held one, but the way they go about it has historically been through bug fixing and insuring -correctness- rather than implementing countermeasures.
Just look at propolice, Theo has long had arguments against technologies such as the recently incorporated propolice precisely because they don't fix the root cause of security problems, of bugs and poor design, and can lead to a false sense of security. I'm glad that he's finally seen merit to other things for defense in depth, but from what I've seen the primary goal in OpenBSD security efforts has been to correct flaws in code e.g. the new strl* change efforts, will hopefully clean up remaining string problems, assuming strl* is used properly, which is probably pretty likely.
GRSecurity obviously has its own goals, but I don't see how they need to be clashing with OpenBSD right now. The 'secure by default' refers primarily to a mindset of default configurations in a complete and functional Unix environment, it is not the be-all-end-all of security, and I don't think that OpenBSD developers or users make such claims. That statement merely reflects a baseline attitude, really, it's that trivial. No one has ever said that once you install OpenBSD your concerns are over, but rather that you're off to a good start.
Since GRSecurity appears to have some pretty nifty features and is multi architectural, I would even see room to encourage a port to a different platform like OpenBSD where the mindset of the users would welcome it. However, due to licensing issues, I doubt that would ever be incorporated into the base install. It wouldn't be the first or last set of utilities designed to bring further security to OpenBSD.
The one thing that really bugs me about this poster is that he assumes that OpenBSD users and presumably developers are living life with their blinders on, simply consuming propoganda. At least speaking personally, I feel that's completely untrue. And while users and developers may take pride in the way OpenBSD goes about doing things, I don't think any of them blindly make or accept claims - be they true or false. Announcements of new features or revelations of unfound bugs are not a claim that there isn't more work to be done.
If there weren't more work to be done, then life would get pretty uninteresting pretty quickly.
I really hope to see operating systems even more secure, and even more user friendly in the future. I don't know if OpenBSD will provide all that, but for the time being I feel that their approach (and they're not the only ones, but they're the focus of this discussion at least) is the closest to how things should progress onwards in my opinion.
If someone else came out with an OS tomorrow that was super secure, liberally licensed (BSD, MIT or maybe public domain), free and extremely functional - I don't think I would be the only OpenBSD user (or even developer) to check it out.
Until that happens, from an operating system level (not just a set of patches) - OpenBSD is not perfect by a long shot, but it's pretty darn good.
Comments
By Joel Rees () joel@alpsgiken.gr.jp on http://www.alpsgiken.co.jp
The one thing that really bugs me about this poster is that he assumes that OpenBSD users and presumably
developers are living life with their blinders on, simply consuming propoganda.
--------------------------------------------
It strikes me that the assertion that the listener has blinders on is typical of someone selling new and improved blinders.
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
Hey! You seem to have a point here. Reading ptrace(2) I found that PT_ATTACH allow a process to trace any other processes running under the same real uid. In Linux, for example, there's the added constraint that the traced process be a child of the tracer. Perhaps OpenBSD should embrace that constraint.
Congrats! We managed to prove one of your points with facts instead of macho talking! :)
> You can continue to blindly defend OpenBSD, but the facts are out there for people who want to know the truth.
Right on, Fax Mulder. Now where's Dana SCSI to support your quest.
Serious, though: see, you could have made your points clearer from the start by explaining your points, instead of just telling people how big your dick is or something.
If the OpenBSD crowd sings the mantra of secure by default or whatever, it's because of a history of bug-fixing and code audit. Of course anyone can cvs checkout and quickly fix a bug that has not yet been given enough attention by the OpenBSD developers, so that they can have their own "even more secure" OS for some time.
But how long will you be playing that game? Have you considered that the other projects might appreciate your help, since you are so enlightened? Or have your ego been too much in the way for you to understand that it's all about "sharing" instead of "comparing and bitching about it"?
Comments
By Anonymous Coward () on
By Anonymous Coward () on
Comments
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
I agree to end this thread here. I just want to add that you might not want to count me in the "stubborn openbsd crowd" since I've been using Linux for more than 8 years now, and just a few months ago got really interested in OpenBSD.
I do value a good technical discussion based on facts, though, and that's why I defended OpenBSD: to get you to provide some facts. :)
Regards
By tedu () on
vi sys/conf/GENERIC
/PTRACE
dd
:wq
config make cp reboot
ignoring the fact that chroot has NOTHING to do with ptrace or signals or shared memory or ...
Comments
By Anonymous Coward () on
Comments
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
What _YOU_ don't seem to understand is that no one in the Unix history ever said that calling chroot(2) puts your process in an isolated virtual machine. You could use user-mode-linux for that, since you are Linux oriented (and yes I know what I'm talking about).
chroot(2) does what it's intended to do: change the FILESYSTEM root of the calling process to a point deeper in the FILESYSTEM tree so that it will not be able to access FILES in the other branches of that tree.
Anything else is a bug in some other place, so complain about that other place, not chroot.
Comments
By Anonymous Coward () on
-----------------------
OpenBSD recently changed the mode of operation for the Apache web-server from the normal non-chrooted operation to chrooted operation.
This enhances the security of the server on which Apache is run but it imposes a few challenges to the system administrator.
-----------------------
see, at least he believes it enhances security. so who are you really arguing with? and what about sshd in chroot decided by no less authority than core OpenBSD developers? are you saying they didn't understand what (little) chroot() achieved? if there's anyone who you need to educate then it's all the people who're using OpenBSD's (and other's) chroot() for whatever 'increased security'. notice that i'm not arguing pro or contra for using chroot() per se, but i'm trying to make it clear that using it as it is for 'increased security' is just plain wrong. whether you want to solve that problem by fixing chroot() and related issues or develop a whole another solution or switch to another OS is none of my business.
Comments
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
OK, that was a bit over the top. Sorry.
> ... using it as it is for 'increased security' is just plain wrong.
Well, I still think it increases security, as it makes things more difficult for an attacker, by providing him with an environment with less resources. Of course it's not the holy grail of server security, but it helps. And that's what is meant by "increased security".
Perhaps we'll have to agree to disagree.
By djm () on
Comments
By Anonymous Coward () on
By Henning () henning@openbsd.org on mailto:henning@openbsd.org
These are NOT my words.
chrooting apache increases security indeed. But not for it alone. I have done more than just chrooting. In fact, I see the privilege drop in the parent process as the most important change. The chroot() heavily helps in securing.
chroot() for it alone doesn't make much of a difference; chroot() as part of a bigger security enhancement like what we did for apache is very powerfull and does increase security.
Your constant babbleings about breaking out of the chroot() we impose in httpd are backed up by nothing, so shut up or come up wiith facts.
Comments
By Anonymous Coward () on
By Anonymous Coward () on
By djm () on
You can continue to ignorantly blab on about false exploits, but you have yet to demonstrate one.
You rant and accuse others of not wanting facts, but when you actually respond with something factual, it is obvious that you don't know what you are talking about.
By djm () on
The "comparison" at http://www.grsecurity.net/compare.php misses the point in a fairly major way. All of your chroot tests only make sense if you don't give up root privileges inside the chroot - which is obviously wrong and is NOT what OpenBSD does.
BTW your regress test has at least two bugs in it:
http://cvsweb.grsecurity.net/index.cgi/regression/chroot_chdir_test.c?rev=1.1.1.1&content-type=text/x-cvsweb-markup
You seem more interested in competing (or more accurately, "trash-talking") than improving the state of the art. You deliberately ignore systrace, securelevel and current practice so you can cheaply score a few points.
Comments
By Anonymous Coward () on
You're more interested in shoulda-coulda-woulda than what the actual state of things are. The tests that can be launched as non-root don't need to be run as non-root to prove the point. If you understood what was going on, you would know that.
Comments
By Anonymous Coward () on
By Fábio Olivé Leite () foleite@yahoo.com.br on mailto:foleite@yahoo.com.br
Surely you ran a poll and had everybody in the audience to answer it, before jumping into that conclusion?
> You're more interested in shoulda-coulda-woulda ...
Hmmm I guess you are the one who is more interested in proving how macho you are with your questionable security concerns.
Please start posting with your real name, it's getting difficult to understand who is answering to whom here (although I recognize your posts by your language and attitude).
You see, I'm really curious about all the points you raised, but it gets difficult to discuss things when you underestimate everybody else so much. Perhaps you need to get laid or something so that you'll calm down a little.
Comments
By Anonymous Coward () on
As for my statement about no one knowing how to break a chroot, it still stands. I have yet to see anyone post here with a shred of technical fact to refute my claims, only "but it's OpenBSD, the most secure OS in the world, it cannot be wrong!"
By Anonymous Coward () on
> audience to answer it, before jumping into that
> conclusion?
do you realize that the very core of this question defeats the naysayers' point? ;-) see, if the OpenBSD chroot cannot be broken, then there cannot be people who know how to do it - the original statement stands. now on the other hand, if said chroot can be broken, then those in the know number 1 here (the original poster), so the rest still comes out at 0.
By djm () on
Breaking out as root doesn't count, using syscalls which have some effect (e.g. kill) outside the chroot doesn't count, breaking out of a chroot where you haven't done a chrdir("/") certainly doesn't count.
You seem to be labouring under the misconception that chroot is general privilege lowering mechanism, it is not (except in the most restricted sense). You want gaol() or whatever it is called from FreeBSD. As I mentioned, the OpenBSD way of doing this is systrace.
chroot exists to limit an unprivileged process' access to the filesystem, nothing more.
I agree that systrace should be used to further restricte chrooted processes in the default install, but then you could do most of what your patch does on Linux with capabilities anyway. Why don't you contribute some policies? I suspect that you would prefer to anonymously whine and self-promote (you didn't help the MicroBSD guys out in a past life, did you?.
Comments
By not same guy () on
since you brought up systrace: it has design deficiencies, which were brought to the attention of its author long time ago, but you see, he knows better. example: what's the goal of restricting execve() based on its arguments when you don't (read: CANNOT, in the current design) do the same for mmap()? take a look at the sample apache policies at http://www.citi.umich.edu/u/provos/systrace/usr_sbin_httpd . it says among others:
native-fswrite: filename match "/logs/*" then permit
native-mmap: permit
native-mprotect: permit
do you realize that that's all one needs to execute arbitrary code (even despite non-exec pages, etc)? this is a design issue and there's no fixing it with any (useful) policies. see, if systrace were worth its salt, knowledgable people would be using and contributing to it. that's all for now, awaiting your response (hopefully you get down from your pedestal and say some technically sound arguments finally).
Comments
By Anonymous Coward () on
chroot is still effective b/c it prevents different attacks, like poorly written cgi/php/ssi that opens and displays files based on user input from reading anything in /etc or other dirs.
chroot is like a bullet proof vest - it will protect you in a specific place from a specific attack. Give a cop the vest, do you really think he will complain "this is ineffective, i am still vulnerable to grenades, rpg's, chemical warfare and more! What if they shoot me in the face or legs??"
By Anonymous Coward () on
By tedu () on
get over yourself.