Re: [PATCH 4/4] Allow unprivileged chroot when safe

[Andy Lutomirski]

On Sun, Jan 15, 2012 at 4:45 PM, Linus Torvalds
<torvalds@xxxxxxxxxxxxxxxxxxxx> wrote:
> On Sun, Jan 15, 2012 at 4:37 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
>> Chroot can easily be used to subvert setuid programs.  If no_new_privs,
>> then setuid programs don't gain any privilege, so allow chroot.
>>
>> Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN
>> is still required if the caller is already chrooted.
>
> So I think this whole chroot thing needs more people looking at it. I
> brought up chroot as an example, but there may be other reasons why
> you don't want user chrooting things than just the setuid confusion.

Agreed.  There are plenty of security people cc'd.  Thoughts (and
attacks) are welcome!

>
> There's also the whole issue with doing things like local non-root
> bind mounts, which are arguably more useful than chroot, and which are
> disallowed for similar reasons. So I don't think chroot is all that
> special.

They're almost certainly more useful.  Binding the tree of your choice
on top of / is a nice (and more secure) way to emulate chroot.  The
only downside I've thought of in five minutes is that it would prevent
the administrator from blocking access to a directory by bind-mounting
something on to of it -- an unprivileged non-recursive bind mount of
the containing filesystem would get the hidden directory back.  I'm
not sure this is a real problem.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/