On Sun, Jan 15, 2012 at 4:37 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote:
> Chroot can easily be used to subvert setuid programs. If no_new_privs,
> then setuid programs don't gain any privilege, so allow chroot.
>
> Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN
> is still required if the caller is already chrooted.
So I think this whole chroot thing needs more people looking at it. I
brought up chroot as an example, but there may be other reasons why
you don't want user chrooting things than just the setuid confusion.
There's also the whole issue with doing things like local non-root
bind mounts, which are arguably more useful than chroot, and which are
disallowed for similar reasons. So I don't think chroot is all that
special.
Linus
--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
