From: David Coulson <david@da...> - 2002-07-24 02:33:43
"So, a chroot jail for UML would need to contain only two files - the
UML binary itself and the filesystem that it boots from.
This needs to be verified - I haven't actually booted UML (or heard from
anyone who has) in such an environment"
I've got UML running with only the 'linux' binary, a root image and a
tmpfs mounted tmp directory - I don't think there is anything else I can
remove from the chroot directory.
On the security front, chowning the binary to a user who is different
from that which runs the UML and setting the permissions to '0555'
should stop anyone who has broken out of the UML being able to hi-jack
the linux binary to break out of the chroot, since they will be unable
to edit the file. I'm unsure of the appropriate ownership and
permissions for the root-fs file within the jail. I have the directory
which becomes the new / chowned to another user, and it has the
immutable bit set, so that the root-fs can not be deleted, although I
see little point in doing much else with it since if you want to trash
it, it's not too difficult to do so from within UML. An attacker could
still create files within the tmp directory, but as UML needs to be able
to create the vm_file, I'm unsure how exactly that directory could be
For network connectivity, I am currently creating 'dev/net/tun' within
my chroot, which is somewhat insecure - I'm assuming a DOS attack could
be started against the host by creating many tun/tap devices. What I am
thinking of doing is creating a tap device, then connecting 'uml_switch'
to this tap device outside of the chroot, as the user which will be
executing the 'linux' binary within the jail, but point uml_switch's
control socket to a fifo within the chroot directory. Assuming
uml_switch can not be exploited such that a user can send arbitrary data
to dev/net/tun from within the jail, uml_switch is suitable as a proxy
for network traffic between the host and the UML within the jail.
Anyone have any thoughts on this configuration?
David Coulson http://davidcoulson.net/