To: linux-kernel@vger.kernel.org
Path: not-for-mail
From: daw@mozart.cs.berkeley.edu (David Wagner)
Newsgroups: isaac.lists.linux-kernel
Subject: Re: can chroot be made safe for non-root?
Date: 16 Oct 2002 21:14:43 GMT
Organization: University of California, Berkeley
Distribution: isaac
Message-ID: <aokks3$955$1@abraham.cs.berkeley.edu>
References: <20021016015106.E30836@ma-northadams1b-3.bur.adelphia.net>
NNTP-Posting-Host: mozart.cs.berkeley.edu
NNTP-Posting-Date: 16 Oct 2002 21:14:43 GMT
Originator: daw@mozart.cs.berkeley.edu (David Wagner)
Sender: linux-kernel-owner@vger.kernel.org
Content-Length: 965
Lines: 17

Eric Buddington  wrote:
>Would it be reasonable to allow non-root processes to chroot(), if the
>chroot syscall also changed the cwd for non-root processes?

It might be reasonable.  It is a little bit tricky, as if you're not
careful, this can open up security holes.  However, one course project
in a class I taught two years ago proposed a way to safely allow non-root
processes to use chroot().  Look here:
  http://www.cs.berkeley.edu/~smcpeak/cs261/index.html

You might also be interested in the LSM project; in sandboxes like
SubDomain, Janus, SELinux, systrace, and the like; in privilege separation;
in OpenBSD's jail(); and similar topics.

>(who wishes there were better ways to run untrusted code)

Me, too.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/