[prev in list] [next in list] [prev in thread] [next in thread]
List: freebsd-hackers
Subject: Re: Is it possible to exit the chroot(2) environment?
From: Warner Losh <imp () bsdimp ! com>
Date: 2020-10-17 0:12:05
Message-ID: CANCZdfqSN8oPd1bTOxRKAyH0QXo-qMXiGaGCwjLuQQvB3a1jbQ () mail ! gmail ! com
[Download RAW message or body]
On Fri, Oct 16, 2020, 6:01 PM Yuri <yuri@rawbw.com> wrote:
> On 9/27/20 1:25 PM, Kyle Evans wrote:
> > +1. I think an additional sentence pointing out that that's the
> > traditional behavior would outline that this is perhaps what's needed,
> > maybe with a specific EPERM reference.
> >
> > It's tempting to also propose switching it to the even-more-strict 0
> > at some point, perhaps considering a procctl(2) if we really find some
> > scenarios where it's absolutely necessary... we'll leave that battle
> > to a different day, though.
>
>
> I have several questions though:
>
> 1) What does this check really guard against?
> kern.chroot_allow_open_directories=0 prevents chroot(2) when there are
> open directories, and kern.chroot_allow_open_directories=1 prevents exit
> from chrooted environment when there were open directories. But what is
> the benefit? The process opened some directories and holds open file
> handles. How can this interfere with choot? What could go wrong that is
> prevented by this check?
>
Some users of chroot don't want to exit the chroot environment. It's more
or a security thing. This is a very different intended use pattern than
your case. That's why it's a knob: it is more secure by default.
One might ask if such a default makes sense in a jail world... that's a
fair question.
2) Why is there no similar check for open files? Why directories are
> special?
>
Open directories can lead to jailbreak. Special files generally can't.
Warner
> Thank you,
>
> Yuri
>
>
>
_______________________________________________
freebsd-hackers@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-hackers
To unsubscribe, send any mail to "freebsd-hackers-unsubscribe@freebsd.org"
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic