Pursuant to an independent discussion, I've been thinking about chroot.
It would be Really Nice to allow chroot to work for mortals, to allow
simple implementation of certain sorts of sandboxes.

So, I was thinking, "why doesn't it presently?".  The only reason I can
see is that if the user has (or can create) a writeable directory on
the same filesystem as certain set-id executables, it becomes really
easy to leverage privilege.  It would also make escaping from a chroot
jail easier.

To address the first, I would suggest that processes, as well as mount
points, have a "don't honor set-id bits" flag, and that non-root
chroot() should set this flag.  To address the second, I suggest
requiring that the path passed to chroot be an absolute path (in
particular, "." is disallowed).

Comments?  Do these actually address the risks?  Are there other risks
I haven't listed?  (Does anyone care? :-)

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B