netbsd-users: Re: chroot & null mount?

Subject: Re: chroot & null mount?
To: None <netbsd-users@NetBSD.org>
From: Peter Bex <Peter.Bex@xs4all.nl>
List: netbsd-users
Date: 08/22/2007 09:26:20
--Uu2n37VG4rOBDVuR
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Aug 21, 2007 at 09:26:59PM -0700, James Hartley wrote:
> This is a newbie question.
>=20
> If I were to set up lighttpd in a chrooted environment, does the
> barrier go both ways?  Will I be able to access files within the
> chrooted directory from outside that environment?

A chroot is only for one particular process.  It uses a directory as
if it were the root directory, meaning it can't go up in the directory
hierarchy on your main filesystem.

Other non-chrooted processes can obviously still go down in the directory
hierarchy until they encounter the directory.

Example:

process A is chrooted in /var/chroot/chrootA
process B is chrooted in /var/chroot/chrootB
process C is not chrooted (/ is its root)

Process A, when referring to /foo will actually refer to
/var/chroot/chrootA/foo
Process A can never go higher than /var/chroot/chrootA, so it can't touch
files for process B.  Process B can not touch files from process A because
their chroots don't overlap.
Process C can see everything, including the files process A and B can see.

If you were to make a process D chrooted in /var/chroot/chrootA/foo, then
process A can see process D's files, but process D can only see the subtree
of A inside foo.

Of course, you could still protect the chrooted directory so that only the
owner can read/write/execute and nobody else (bitmask 700).  The owner would
then be the user that lighttpd runs as (probably www or lighttpd).

> Section 6.3.6 of the pkgsrc guide mentions null mounts:
>=20
> http://netbsd.org/docs/pkgsrc/binary.html#setting-up-a-sandbox
>=20
> ...yet I haven't been able to find this defined?  Can someone elaborate?

The idea of a sandbox is that anything inside the sandbox can't mess up the
rest of the system as it exists outside the sandbox.
null mounts are mounts of the nullfs filesystem.  Have a look at the
mount_nullfs manpage for more info.

Basically the nullfs 'mounts' a directory under another directory.  This
allows you to share, say, /usr/bin between the sandbox and the real system:

mount_nullfs -o ro /usr/bin /var/chroot/chrootA/usr/bin

Then the chrooted process A will see in its /usr/bin the 'real' /usr/bin,
without needing access on that part in the real filesystem.  It will also
see it mounted as readonly, so it can not mess up anything if the process
is compromised somehow.

Hope this helps.

Regards,
Peter
--=20
http://sjamaan.ath.cx
--
"The process of preparing programs for a digital computer
 is especially attractive, not only because it can be economically
 and scientifically rewarding, but also because it can be an aesthetic
 experience much like composing poetry or music."
							-- Donald Knuth

--Uu2n37VG4rOBDVuR
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.7 (NetBSD)

iQEVAwUBRsvlHNOrBFwYag3gAQIjowf7BsIxtwwmsQcr2SL3odVrYrL80vO6lwxI
9Cc5mviHHzl7oC1wsBvjA1+ZdnGunfYcvG2LnVOoTRXjYSy+RRt31HJ0q7Ifp2Pd
7Ej3od1IHPAvq+4JAZ2LN/s6rKaDO1EoJ0CU0O4yNqRYwmS4h6Sg3E7VJCnnQWcN
7fNejOUv6RutxGoGiCE8cyxe2CKdi+RSuaI0LftIsJ470UsX53QKWEiidttVMKoV
t5W/i3A/RYUVje6OVepGHld1SZHOFFtPj3dQNXtywrwlA19AUkoUjEVzZIxacHhn
2Fl52fipZhgI3kAH0MGNgnZHWiZ7ZrywE16Nir3CS/VZ/mbDS1fWUg==
=I9OL
-----END PGP SIGNATURE-----

--Uu2n37VG4rOBDVuR--