Subject: Re: i386 IO access and chroot()
To: Michael Richardson <>
From: gabriel rosenkoetter <>
List: tech-security
Date: 07/17/2001 16:19:31
On Tue, Jul 17, 2001 at 03:28:14PM -0400, Michael Richardson wrote:
>   chroot(2) should not.
>   (I do not even think that the fchdir() checks should be done. I've used
> used the fact that you can fchdir() out of the chroot in some applications)
>   But, I think that we should offer a facility like jail(2), etc. that does
> what is being asked for. 

Except that extant software relies on things like fchdir() out of
a chroot() to be disallowed by the operating system. BIND, for
instance. Do you really want to check and patch all the software
that uses the present state of NetBSD's chroot() to use a brand,
new jail() instead?

(Ask Paul Vixie how much he wants to do that for BIND 8, why don't

Also, chroot() is understood in other operating systems (Solaris
comes to mind) to have the meaning we now give it, not the meaning
you'd like it to have. It is also, imho, the more logical meaning.
If I change a program's idea of where root is, then it should not be
able to see anything upwards of that point, being as the root of a
file system is supposed to be just that.

This is getting perhaps too far away from the technical and too far
into the semantic, though.

       ~ g r @