About this list Date view Thread view Subject view Author view Attachment view

From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Thu 14 Nov 2002 - 03:24:46 GMT

On Wed, 6 Mar 2002 17:20:27 -0500, klavs klavsen wrote
> Hi guys,
> just studied jail a little.. found missing info on chcontext
> functionality. The answers to the questions below I think would be great
> additions to the chcontext Man-page.
> quote from the FAQ (jail vs. vserver)>>
> The new_s_context is not privileged, so a normal user can use this to,
> for example, setup a personal security box before executing a
> not-so-trusted game.<<
> If I start my services (on main vserver) with chcontext, does this mean
> that if one of the services (started from the same vserver as the
> others) got hacked, the hacker wouldn't be able to access any other
> services20

Not exactly, but chcontext is one part of the puzzle. If you do
(even as a normal user)

        chcontext /bin/sh

you end up with a shell in a different context. It can't interact (signal, see)
all the processes in the box. But it can talk to other processes using IP or
other unix domain socket.

chcontext can also lower the capability ceiling of that process. This means that
the process would not be able to grab more control even as root or even
it if managed to crack a setuid program on the box.

So this is a start. Other mechanisms are needed to further control the process.
For example, we can also do

        chcontext chbind --ip /bin/sh

we end up with a process unable to setup any IP service, nor do any IP
client access (unless is a valid IP of the box). Now combined with
a package like aclfsd (part of the virtualfs project), one may control
exactly where a process can connect, using which port.

The idea with chcontext and chbind and personnal security box is that
you drop lots of privilege and you let a "security manager" perform the access
for the process. This is what aclfsd does.

> it only seperates processes, so wouldn't the hacker just be able to
> "screw up" all the files..

Yes. One solution here is to "on demand" chroot the process and then let
it only access file using aclfsd.

on demand chroot means you setup a directory on the fly (mostly empty) and
run the process there.

> And if he local exploit in a program he could achieve vserver "root",
> and then just stop the processes20

You can't get out of the security context, so can't stop other processes.

> if so, are there any security context where using chcontext within a
> vserver would help any?

By default, a vserver is locked in one security context. It can't use chcontext

Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 14 Nov 2002 - 06:26:38 GMT by hypermail 2.1.3