[MattRoseman08]

Hi,

I am a bit confused on my learning of permissions. I'll try my best to explain what I have done.

I have created a new unprivileged user with the following commands

sudo dscl . -create /Users/Privoxy
sudo dscl . -create /Users/Privoxy UserShell /usr/bin/false
sudo dscl . -create /Users/Privoxy RealName "Privoxy"
sudo dscl . -create /Users/Privoxy UniqueID 503
sudo dscl . -create /Users/Privoxy PrimaryGroupID 1000
sudo dscl . -create /Users/Privoxy NFSHomeDirectory /no/Home
sudo passwd Privoxy

and a group with the following commands

sudo dscl . create /groups/Privoxy
sudo dscl . create /groups/Privoxy name Privoxy
sudo dscl . create /groups/Privoxy passwd "*"
sudo dscl . create /groups/Privoxy gid 1000

Now I ran the commands

sudo chmod g-rwx /usr/local/Privoxy/*
sudo chmod o-rwx /usr/local/Privoxy/*
sudo chmod g-rwx /usr/local/Privoxy
sudo chmod o-rwx /usr/local/Privoxy
sudo chown -R Privoxyrivoxy /usr/local/Privoxy

Okay, so I believe this is what is done to lock down a program to a unprivileged user and limit the risk of exploits.

I was reading the Privoxy man page (Man page of PRIVOXY) and it mentioned something about 'chroot'. A quick google of chroot lead me to believe 'chroot' would improve the security of what I have already done.

Now when I start Privoxy with (What I thought was the correct command)

sudo /usr/local/Privoxy/sbin/privoxy --chroot /usr/local/Privoxy/ --user Privoxy.Privoxy /usr/local/Privoxy/etc/config

Privoxy aborted. So I assumed maybe the option '--chroot' did not need '/usr/local/Privoxy/' and removed it from the command.

So now I start Privoxy with the command

sudo /usr/local/Privoxy/sbin/privoxy --chroot --user Privoxy.Privoxy /usr/local/Privoxy/etc/config

Privoxy returns error

Mar 20 10:20:13.494 Privoxy(000000a8) Fatal error: Cannot chroot to /no/home

Now in the terms of security,
Should I leave the home folder of user Privoxy to '/no/home/' and NOT use '--chroot' while starting Privoxy?
Or
Should I change Privoxy's home folder to '/usr/local/Privoxy' and USE '--chroot' while starting Privoxy? Keep in mind that in either case of setting Privoxy's home folder, Privoxy's shell path remains '/usr/bin/false' as from what I understand Also limits the impact of exploits.

Thanks
Matt Roseman

[Big Mac]

It sounds like what you're trying to do is fairly technical, but I'm wondering what you're trying to achieve. What security are you concerned about improving? OS X is quite secure by design. Are you trying to prevent a non-admin user from having normal access to privilege escalation?

[Dork.]

From what I remember of chroot, when you use that command you are basically limiting how much of the filesystem a process can see, "changing" what it considers the root directory.

So, if you are running a process using chroot /home/foo, the process will actually see /home/foo as it's root directory.
If you want to access a file in directory /home/foo/bar, you will have to tell the chrooted process to look in /bar, since it has no concept of anything in the filesystem above /home/foo: It thinks that directory is / . If the chrooted process wants to access a file in /home/mysecretfiles, it's out of luck.

Your command failed because you still had the --chroot option in your command, but --chroot takes an argument (the directory to chroot to), and you didn't give it one. If you do not want to use the chroot feature, remove the --chroot from the command line, too.

Perhaps your initial chroot command would have worked if you specified the location of the config file where the process could see it, at /etc/config . But I'm not 100% sure about that, someone with more knowledge can probably confirm or deny that.

chroot is considered "more secure" because if someone manages to find an exploit for the process and gain access to your machine, the only files the attacker can see are the ones in the chroot jail (unless he can find another exploit to gain root access).

[MattRoseman08]

"Perhaps your initial chroot command would have worked if you specified the location of the config file where the process could see it, at /etc/config . But I'm not 100% sure about that, someone with more knowledge can probably confirm or deny that."

Did you mean something like

"sudo /usr/local/Privoxy/sbin/privoxy --chroot /usr/local/Privoxy/ --user Privoxy.Privoxy /etc/config"

If so, that command fails.

So.... Since I gave the user a home directory of /no/home/, User privoxy will only see files in /no/home/ (Which has no files nor does the directory exist) therefore if compromised, no filesystem is available for the hacker to see? Which would mean I would NOT have to chroot?

Thanks
Matt Roseman