Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Date: Thu, 06 Jun 2013 21:26:06 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
Subject: Re: chroots & uid sharing

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 06/06/2013 12:17 PM, Seth Arnold wrote:
> On Thu, Jun 06, 2013 at 03:02:37PM +0200, Jason A. Donenfeld
> wrote:
>> What I wonder is how many distros are shipping various daemons
>> that run under the nobody user, with certain ones chrooting and
>> others not. How should we handle this?
> 
> We can handle nobody well enough by correcting its mis-use every
> time we spot it. There are enough purpose-specific users on a
> typical system these days to just give the impression that any new
> service should get its own corresponding user, so the temptation to
> use 'nobody' is lower than it used to be.
> 
> Of course, if a different user account gets abused for both
> chrooted and non-chrooted use, that's harder to combat, short of
> reminding people that chroot is filesystem and _only_ filesystem..

I literally can't remember when people started saying "if you're using
chroot for security, you're doing it wrong" it was a long time ago. At
least a decade for myself and I wasn't the first person (that probably
goes to the BSD guys and jail()):

http://seclists.org/vuln-dev/2002/May/419

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)

iQIcBAEBAgAGBQJRsVLNAAoJEBYNRVNeJnmTFzkQAIeHqk2uSmK2wKqP9o3CQ0JG
GcY21kKwl/JyBSqgsLQutDp7sdqrngK+Dcti/W/JICacvPO+rHfgh7UI5bYX8FuL
AiXW4jc5Sn7s3SfWWGEizur8bz7GAxhEy/Jy3h8w8ZIry0ufXbgigyBv+xT3qoZG
8L4Kd+88V03kpt478IQNsOAgvlv20vY16mz7JLTXdEKECBHJxhD454nPLGtvfcSc
pmZ+g2TzGBniR0KzwKqtiPSbgBW+Edx/RaQ+nZFdJmL9BF6DX6fGwf4potOZ8lTa
whYi5Kzcabdlv8QXQ12HHNmJ13DH2qz42B55AIb222g2HntB/RTA2m7+Od8K2vJw
kR4NDOrtzUYB9xOSFKe3YTNeM+0n+BcRwagoUjQXLijCdIXH/Qgoht8N18943v6w
xq4K/MwL1EO57jyuGhADMKBnQ0ZX9SsKKwGccYjM0JqGYv/j5Usz8Pv+100GKNOn
bOK0ToBHZClhGMsFSOpFDw8IWIZ/OwOWDUgO5hcj/Go5m6kDZUilJTY2JqOI/3o2
fxC76SWbAy3sM4hs2/mIUsPJDauESzezU4IZ+w5qqIXXs3r1zyu7yRbAc/cQ6543
/QVp737RSsxGlaarelytXmBvGWgob7hw9tBAq93LR1zyY2uYv3AErWeDit3LL8ju
QVa2pPNX+5RZuByj7JZ/
=WFp/
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.