Subject: Re: chroot & null mount?
To: None <>
From: Peter Bex <>
List: netbsd-users
Date: 08/22/2007 09:26:20
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 21, 2007 at 09:26:59PM -0700, James Hartley wrote:
> This is a newbie question.
> If I were to set up lighttpd in a chrooted environment, does the
> barrier go both ways?  Will I be able to access files within the
> chrooted directory from outside that environment?

A chroot is only for one particular process.  It uses a directory as
if it were the root directory, meaning it can't go up in the directory
hierarchy on your main filesystem.

Other non-chrooted processes can obviously still go down in the directory
hierarchy until they encounter the directory.


process A is chrooted in /var/chroot/chrootA
process B is chrooted in /var/chroot/chrootB
process C is not chrooted (/ is its root)

Process A, when referring to /foo will actually refer to
Process A can never go higher than /var/chroot/chrootA, so it can't touch
files for process B.  Process B can not touch files from process A because
their chroots don't overlap.
Process C can see everything, including the files process A and B can see.

If you were to make a process D chrooted in /var/chroot/chrootA/foo, then
process A can see process D's files, but process D can only see the subtree
of A inside foo.

Of course, you could still protect the chrooted directory so that only the
owner can read/write/execute and nobody else (bitmask 700).  The owner would
then be the user that lighttpd runs as (probably www or lighttpd).

> Section 6.3.6 of the pkgsrc guide mentions null mounts:
> ...yet I haven't been able to find this defined?  Can someone elaborate?

The idea of a sandbox is that anything inside the sandbox can't mess up the
rest of the system as it exists outside the sandbox.
null mounts are mounts of the nullfs filesystem.  Have a look at the
mount_nullfs manpage for more info.

Basically the nullfs 'mounts' a directory under another directory.  This
allows you to share, say, /usr/bin between the sandbox and the real system:

mount_nullfs -o ro /usr/bin /var/chroot/chrootA/usr/bin

Then the chrooted process A will see in its /usr/bin the 'real' /usr/bin,
without needing access on that part in the real filesystem.  It will also
see it mounted as readonly, so it can not mess up anything if the process
is compromised somehow.

Hope this helps.

"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
							-- Donald Knuth

Content-Type: application/pgp-signature
Content-Disposition: inline

Version: GnuPG v1.4.7 (NetBSD)