Subject: Re: chroot(2)
To: None <>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
List: tech-kern
Date: 10/02/1998 10:28:43
> i've always hated chroot(2)'s inability to correctly deal with leter
> normal users do this.  from a security perspective, the functionality
> is really nice, but having to be root *first* is a lose...

Well, if you just take a current kernel and remove the suser() check
from chroot, you open up two big holes: (1) it's really easy to do
things like build your own /etc/master.passwd in a chroot tree,
hardlink in su, and get yourself a root shell; and (2) it's really easy
to escape from a chrooted jail, provided there's at least one
subdirectory of the jail's root (which is (almost?) invariably true).

I see no indication that you like or dislike my suggestions for dealing
with those problems, nor did you provide any of your own, nor even an
indication that you didn't consider them problems.

In response to my note, one person has pointed out that chdir/fchdir
needs some kind of restriction, or (2) is still pretty easy even if
chroot is restricted to absolute pathnames.  Thus, I modify my
suggestion for (2) to say that non-root users cannot chroot or chdir
(including fchdir and fchroot, the latter nonexistent ATM anyway) to a
directory that is not under the current root (one from which walking ..
links doesn't lead to the processes' current root).  If this is done,
the "absolute path only" restriction on chroot can be removed, since
its goal is better served by this restriction.

					der Mouse

		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B