The best way to set this up is aggressively. As you have no good reason for the daemon within the jail to operate as root, use the setuid command to specifically set the real UID to something other than zero. Running chroot() should give output similar to the following:
chdir ("/chroot/daemon name"); chroot("/chroot/daemon name"); setuid(Non-zero UserlD);
The most significant portion of the output is the last line, which sets the user ID. Its value should be the user ID of a user on the system that has the absolute least permissions. If this is set properly, users should have no way to obtain root privileges on the system, unless a vulnerability is found within the environment or utilities enabling the daemon to escape are carelessly added to it.
Oftentimes, developers use the seteuid() call as a shortcut, instead of the setuid() call, but this is a mistake as it only sets the effective user ID. If the real UID is 0, users can change their own effective user ID back to 0, even if they currently have the effective UID
of an unprivileged user. Essentially, root can grant itself permissions that it does not currently have since it is the superuser.
Developers should consider this carefully since privilege escalation in this scenario can be trivial and the price of shortcuts costly. The seteuid() call should not be used as a security measure, but to allow the user to perform tasks that cannot be done as an unprivileged user. Though undesirable to employ at all, sometimes you cannot avoid it.
Was this article helpful?
Read how to maintain and repair any desktop and laptop computer. This Ebook has articles with photos and videos that show detailed step by step pc repair and maintenance procedures. There are many links to online videos that explain how you can build, maintain, speed up, clean, and repair your computer yourself. Put the money that you were going to pay the PC Tech in your own pocket.