Great Circle Associates Firewalls
(February 1998)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: http server for bastion host
From: Stepken <stepken @ edina . xnc . com>
Organization: Freie Software Systeme
Date: Mon, 09 Feb 1998 20:36:15 +0100
To: "Michael H. Warfield" <mhw @ wittsend . com>
Cc: Stepken <stepken @ www . firmen-info . de>, marcs @ znep . com, Firewalls @ GreatCircle . COM
References: <199802090432 . XAA27058 @ alcove . wittsend . com>

Michael H. Warfield wrote:


>         If you only trust a chrooted version of apache or CERN, you are a
> fool.  Chroot does help.  But there ARE exploits for getting out of chrooted
> jails (especially if you manage to get superuser), just as there are
> exploits for getting superuser.  I, personally, don't "only" trust ANYTHING.
> I depend on a combination of "things" of which chroot, and non-superuser
> id's are only part.  I do not "trust" chroot nor a non-root user.  The
> combination of the two is better.  The combination of the two behind a
> firewall is still better.  Those behind a filtering router are better yet
> still.  Depend on one thing and it should be this:  NOTHING is bullet-proof
> (or fool proof for that matter).

Trying to escape a chroot() environment, i only succeeded in killing
some processes, but
i never did succeeded in escaping. How did you manage that ?

> 
> > cu, Guido Stepken
> 
>         Regards,
>         Mike
> --
>  Michael H. Warfield    |  (770) 985-6132   |  mhw @
 WittsEnd .
 com
>   (The Mad Wizard)      |  (770) 925-8248   |  http://www.wittsend.com/mhw/
>   NIC whois:  MHW9      |  An optimist believes we live in the best of all
>  PGP Key: 0xDF1DD471    |  possible worlds.  A pessimist is sure of it!


Follow-Ups:
References:
Indexed By Date Previous: Re: http server for bastion host
From: Randy Grimshaw <rgrimsha @ mailbox . syr . edu>
Next: Re: Livingston & Ascend
From: Aydin Edguer <edguer @ MorningStar . Com>
Indexed By Thread Previous: Re: http server for bastion host
From: "Michael H. Warfield" <mhw @ wittsend . com>
Next: Re: http server for bastion host
From: Peter da Silva <peter @ baileynm . com>

Google
 
Search Internet Search www.greatcircle.com