Re: Relax the prohibition of usage fchdir(2) to quit a chroot

[David Holland <dholland-security%netbsd.org@localhost>]

I realize this was a week and change ago, but:

On Sun, Sep 21, 2014 at 12:17:27PM +0200, Kamil Rytarowski wrote:
 > Well, right the better word is 'add feature' and we would change
 > the discussion from 'don't touch anything' to 'let's add chroot
 > restrictions swappable in runtime, that's a cool feature opening
 > opportunities' and then to mind-storm ideas what and how to
 > restrict.

I think you mean "opening vulnerabilities". If you have a runtime
switch to turn chroot restrictions off, then there are no chroot
restrictions because anything they're trying to block can just turn
them off first.

You could try to make the sysctl accessible only from outside all
chroots, but good luck enforcing that... and it's still insecure
because it's too broad a switch.

I agree with everyone else - fix the program.

I don't understand your example, either. If your package contains a
postinstall script that runs mknod /dev/console, that had better be
run *in* the chroot so it creates the chroot's console. If you run it
outside the chroot, it'll create the console in the wrong /dev. So I
don't see that there's even a problem.

-- 
David A. Holland
dholland%netbsd.org@localhost