5.10. 常用 chroot 和 suid
chroot
is one of the most powerful possibilities to restrict a daemon or a user or another service. Just imagine a jail around your target, which the target cannot escape from (normally, but there are still a lot of conditions that allow one to escape out of such a jail). You can eventually create a modified root environment for the user or service you do not trust. This can use quite a bit of disk space as you need to copy all needed executables, as well as libraries, into the jail. But then, even if the user does something malicious, the scope of the damage is limited to the jail.
Many services running as daemons could benefit from this sort of arrangement. The daemons that you install with your Debian distribution will not come, however, chrooted[42] per default.
This includes: name servers (such as bind
), web servers (such as apache
), mail servers (such as sendmail
) and ftp servers (such as wu-ftpd
). It is probably fair to say that the complexity of BIND is the reason why it has been exposed to a lot of attacks in recent years (see 第 5.7 节 “增强 BIND 的安全性”).
但是, Debian 确实提供了一些用于设置 chroot
环境的软件, 参阅 第 5.10.1 节 “自动配置 chroot 环境”.
无论如何, 如果您在您的系统上运行一项服务, 都需要尽可能的保证其安全性, 这包括取消其 root 权限, 在限制的环境下运行(如 chroot jail)或者用更安全的方法.
但是, 应当注意的是, 以root用户运行的 chroot
jail 是有可能被破坏的. 因此, 应当确保服务以非特权用户运行. 通过限制其环境, 您可以限制服务可访问文件的读/执行权限, 因此您也就限制了利用本地系统的漏洞提升权限的可能性. 即使如此您也无法确保一个聪明的攻击者以某种方法突破 chroot jail. 只有使用公认的安全性好的服务器, 才是增加安全性的很好的手段. 即使一个很小的漏洞, 如开放文件句柄, 也可能被熟练的攻击者利用来攻破系统. 最后, chroot
并不是设计作为一个安全工具, 而是一个测试工具.
5.10.1. 自动配置 chroot 环境
There are several programs to chroot automatically servers and services. Debian currently (accepted in May 2002) provides Wietse Venema’s chrootuid
in the chrootuid package, as well as compartment and makejail. These programs can be used to set up a restricted environment for executing any program (chrootuid
enables you to even run it as a restricted user).
Some of these tools can be used to set up the chroot environment easily. The makejail
program for example, can create and update a chroot jail with short configuration files (it provides sample configuration files for bind
, apache
, postgresql
and mysql
). It attempts to guess and install into the jail all files required by the daemon using strace
, stat
and Debian’s package dependencies. More information at http://www.floc.net/makejail/. Jailer
is a similar tool which can be retrieved from http://www.balabit.hu/downloads/jailer/ and is also available as a Debian package.
[42] It does try to run them under minimum priviledge which includes running daemons with their own users instead of having them run as root.