On Sun, Jan 15, 2012 at 4:45 PM, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx> wrote: > On Sun, Jan 15, 2012 at 4:37 PM, Andy Lutomirski <luto@xxxxxxxxxxxxxx> wrote: >> Chroot can easily be used to subvert setuid programs. If no_new_privs, >> then setuid programs don't gain any privilege, so allow chroot. >> >> Because chroot is an easy way to break out of chroot jail, CAP_SYS_ADMIN >> is still required if the caller is already chrooted. > > So I think this whole chroot thing needs more people looking at it. I > brought up chroot as an example, but there may be other reasons why > you don't want user chrooting things than just the setuid confusion. Agreed. There are plenty of security people cc'd. Thoughts (and attacks) are welcome! > > There's also the whole issue with doing things like local non-root > bind mounts, which are arguably more useful than chroot, and which are > disallowed for similar reasons. So I don't think chroot is all that > special. They're almost certainly more useful. Binding the tree of your choice on top of / is a nice (and more secure) way to emulate chroot. The only downside I've thought of in five minutes is that it would prevent the administrator from blocking access to a directory by bind-mounting something on to of it -- an unprivileged non-recursive bind mount of the containing filesystem would get the hidden directory back. I'm not sure this is a real problem. --Andy -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
