Re: [PATCH v3 4/4] Allow unprivileged chroot when safe

[Andy Lutomirski]

On Mon, Jan 30, 2012 at 1:58 PM, Colin Walters <walters@xxxxxxxxxx> wrote:
> On Mon, 2012-01-30 at 08:17 -0800, Andy Lutomirski wrote:
>> Chroot can easily be used to subvert setuid programs.  If no_new_privs,
>> then setuid programs don't gain any privilege, so allow chroot.
>
> Is this needed/desired by anyone now, or are you just using it to "demo"
> NO_NEW_PRIVS?  I don't see it as very useful on its own, since in any
> "container"-type chroot you really want /proc and /dev, and your patch
> doesn't help with that.

It's a demo, but it could still be useful for container-ish things.
If something privileged sets up /proc, /sys, and /dev, then
unprivileged code can chroot into the container.  This would allow
much simpler implementations of tools like schroot.

>
> System daemons that do chroot for a modicum of security already start
> privileged, so this doesn't help them either.

With this change, they wouldn't need to start privileged.
(Admittedly, this isn't a great argument for this patch.)

It would be really nice to have unprivileged filesystem namespace
features, but that would be more complicated to do safely.

--Andy

>
>
>



-- 
Andy Lutomirski
AMA Capital Management, LLC
Office: (310) 553-5322
Mobile: (650) 906-0647
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/