Does using chroot for a publicly-exposed service provide any real security benefit?

security chroot

Solution 1:

You should never consider a chroot a complete security feature. While is makes attack harder, if you do manage to get some control inside the chroot, it is fairly easy to break out of. There's a method involving chrooting to a parent directory (..) More info here. The reason that chroot gives some security benefit is that many of the applications that a hacker might expect to have around just won't be there. If given the choice between something being chrooted or not chrooted, I'd pick the chrooted option.

A better approach would be something like BSD's jail, Solaris's zones or some virtualisation technology like KVM or Xen. These approaches take the same compartimentalisation idea that chroot does and makes them stronger. You could also look at something like SELinux, but this is slightly more complicated, and therefore prone to mistakes.

Solution 2:

As I understand it, there is a method for breaking out of a chroot jail (...) then why are some installations still pursuing it?

You can say the same thing about passwords. The point is that quite often securing some resources means placing so many obstacles on intruder's way to force him to give up before reaching the target. You can't rely on a single method to secure given resource. Furthermore, chrooting gives you more control over an application you're running. You can restrict file system resources this app have access to.

Solution 3:

Yes it does.

  • If your daemon or whatever is providing the service does not run as root then even a hole in that daemon is isolated from the rest of the system.
  • If your OS can restrict operations that can be done while chroot()ed, it's even better. grsec-patches to Linux for example can remove ability of the root user inside a chroot to break out, or create /dev-nodes inside the chroot

If, however, you get an exploitable kernel bug (or just a root hole if not grsec or BSD jails) inside the chroot, then the whole system is owned. Not so if you run a real virtualizer (such as VMWare, but NOT BSD jails. They don't help since they use the same kernel for all "systems").

So yes, it adds a security layer, if used correctly.

Solution 4:

So if there is no real value to this security measure, then why are some installations still pursuing it?

There may not be much security gained, but in some cases you make the system easier for the user. If they are not distracted by all the other stuff they don't need to see, they may find the system easier to use.

Related

What are your favorite hardware deals sites? [closed]
How to turn out off office on using Exchange
Should I stop MySQL repair?
What excuses are IT managers/directors using to defer upgrading from Internet Explorer 6?
SQL Server 2008 Load-Balancing
MAC Address Spoofing/Changing Software
Easiest disk wipe (no cd drive)
Linux box takes 10 seconds to make a connection
DHCP in Windows 2003/2008 DC or in Router?
Best Network Antivirus for Windows XP [closed]
Daemon to verify Linux md raid
InfiniBand Storage