Shared libraries loaded after chroot
Marc Haber
mh+bind-users at zugschlus.de
Tue May 17 05:18:40 UTC 2016
On Mon, May 16, 2016 at 08:51:41PM -0400, Paul Kosinski wrote:
> I have avoided the problem chroot causes in a fairly general fashion by
> using "mount --bind". For example:
>
> /bin/mount --bind /lib /chroot/dns/lib
>
> will make the entire /lib directory available to the chrooted BIND,
> assuming the path /chroot/dns is created beforehand to serve as the
> chroot base for running BIND.
This is a wrong and dangerous "fix" since it exposes the parent
system's /lib to the chroot. Preventing this exposure is the reason
for chroot in the first place.
> I have heard that chroot does not provide unbreakable isolation, and,
> of course, many extra files are made available to the chrooted process
> compared to copying the minimum number of individual files.
This is much worse than copying the minimum number of individual files
since it allows the chrooted root account to _directly_ _change_ the
files of the parent system. You can run unchrooted without much more
danger.
Greetings
Marc
--
-----------------------------------------------------------------------------
Marc Haber | "I don't trust Computers. They | Mailadresse im Header
Leimen, Germany | lose things." Winona Ryder | Fon: *49 6224 1600402
Nordisch by Nature | How to make an American Quilt | Fax: *49 6224 1600421
More information about the bind-users
mailing list