Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id ; Fri, 18 Oct 2002 17:12:08 -0400 Received: (majordomo@vger.kernel.org) by vger.kernel.org id ; Fri, 18 Oct 2002 17:12:08 -0400 Received: from abraham.CS.Berkeley.EDU ([128.32.37.170]:8207 "EHLO mx2.cypherpunks.ca") by vger.kernel.org with ESMTP id ; Fri, 18 Oct 2002 17:12:08 -0400 To: linux-kernel@vger.kernel.org Path: not-for-mail From: daw@mozart.cs.berkeley.edu (David Wagner) Newsgroups: isaac.lists.linux-kernel Subject: Re: can chroot be made safe for non-root? Date: 18 Oct 2002 21:00:34 GMT Organization: University of California, Berkeley Distribution: isaac Message-ID: References: <20021016015106.E30836@ma-northadams1b-3.bur.adelphia.net> <20021018190101.GE237@elf.ucw.cz> <1034975267.2259.81.camel@zaphod> NNTP-Posting-Host: mozart.cs.berkeley.edu X-Trace: abraham.cs.berkeley.edu 1034974834 10928 128.32.153.211 (18 Oct 2002 21:00:34 GMT) X-Complaints-To: news@abraham.cs.berkeley.edu NNTP-Posting-Date: 18 Oct 2002 21:00:34 GMT X-Newsreader: trn 4.0-test74 (May 26, 2000) Originator: daw@mozart.cs.berkeley.edu (David Wagner) Sender: linux-kernel-owner@vger.kernel.org X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1213 Lines: 22 Shaya Potter wrote: >the problem with chroot() is that they dont nest. That's *a* problem, but not (IMHO) the most significant problem. The biggest disadvantages with chroot() (as I see it) are: * not useable unless you're root * too coarse-grained * only protects the filesystem, but not other resources (e.g., the network) * not suitable for jailing root > If however, one could provide even a single level of nesting, such that > a chroot outside of a chroot sets the first level, and any other chroot > after that sets the inner level, then even root wouldn't be able to > break out of the chroot (presuming it didn't bring any fd's into the > chroot w/ it). This is not quite right. There are LOTS of other ways that root can break out of a chroot. Actually, I suspect that nested chroot()s may not be needed very frequently, so I think a simpler approach may be simply to prevent a chrooted process from calling chroot() again: i.e., prevent nesting. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/