Subject: chroot(2)
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 10/01/1998 16:54:01
Pursuant to an independent discussion, I've been thinking about chroot.
It would be Really Nice to allow chroot to work for mortals, to allow
simple implementation of certain sorts of sandboxes.

So, I was thinking, "why doesn't it presently?".  The only reason I can
see is that if the user has (or can create) a writeable directory on
the same filesystem as certain set-id executables, it becomes really
easy to leverage privilege.  It would also make escaping from a chroot
jail easier.

To address the first, I would suggest that processes, as well as mount
points, have a "don't honor set-id bits" flag, and that non-root
chroot() should set this flag.  To address the second, I suggest
requiring that the path passed to chroot be an absolute path (in
particular, "." is disallowed).

Comments?  Do these actually address the risks?  Are there other risks
I haven't listed?  (Does anyone care? :-)

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B