Re: [PATCH v3 4/4] Allow unprivileged chroot when safe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Mon, 2012-01-30 at 16:38 -0600, Will Drewry wrote:
> On Mon, Jan 30, 2012 at 4:18 PM, Steven Rostedt <rostedt@xxxxxxxxxxx> wrote:
> > On Mon, 2012-01-30 at 16:58 -0500, Colin Walters wrote:
> >> On Mon, 2012-01-30 at 08:17 -0800, Andy Lutomirski wrote:
> >> > Chroot can easily be used to subvert setuid programs.  If no_new_privs,
> >> > then setuid programs don't gain any privilege, so allow chroot.
> >>
> >> Is this needed/desired by anyone now, or are you just using it to "demo"
> >> NO_NEW_PRIVS?  I don't see it as very useful on its own, since in any
> >> "container"-type chroot you really want /proc and /dev, and your patch
> >> doesn't help with that.
> >>
> >> System daemons that do chroot for a modicum of security already start
> >> privileged, so this doesn't help them either.
> >
> > I thought this was all for sandboxing? If a browers (or user) wants to
> > run some untrusted code, perhaps a chroot is the best way to do so. It
> > just will break if it needs to access /proc or /dev.

I think you'll find your definition of "code" becomes very limited
without /dev/null, /dev/zero and /proc/cpuinfo for example, as used by
glibc.

Personally I find it amazing we're even debating putting new
security-relevant API in the kernel with no known userspace consumer.
It can always go in later if someone actually wants it.

> Interestingly, I believe this change would work for the Chromium
> setuid sandbox[1]. It uses a fancy clone trick (CLONE_FS) to start the
> process then chroot once all its dependencies are loaded. It then
> chroot()s to /proc/self/fd_info (or another empty process-specific
> directory). 

But...it's setuid, so it can call chroot already?  I'm not following how
this change would benefit the helper.


--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html


[Index of Archives]     [Linux Ext4 Filesystem]     [Union Filesystem]     [Filesystem Testing]     [Ceph Users]     [Ecryptfs]     [AutoFS]     [Kernel Newbies]     [Share Photos]     [Security]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Linux Cachefs]     [Reiser Filesystem]     [Linux RAID]     [Samba]     [Device Mapper]     [CEPH Development]
  Powered by Linux