Re: [PATCH v3 4/4] Allow unprivileged chroot when safe

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: Andy Lutomirski <luto@xxxxxxxxxxxxxx>
Subject: Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
From: Colin Walters <walters@xxxxxxxxxx>
Date: Mon, 30 Jan 2012 18:10:45 -0500
Cc: Will Drewry <wad@xxxxxxxxxxxx>, linux-kernel@xxxxxxxxxxxxxxx, Casey Schaufler <casey@xxxxxxxxxxxxxxxx>, Linus Torvalds <torvalds@xxxxxxxxxxxxxxxxxxxx>, Jamie Lokier <jamie@xxxxxxxxxxxxx>, keescook@xxxxxxxxxxxx, john.johansen@xxxxxxxxxxxxx, serge.hallyn@xxxxxxxxxxxxx, coreyb@xxxxxxxxxxxxxxxxxx, pmoore@xxxxxxxxxx, eparis@xxxxxxxxxx, djm@xxxxxxxxxxx, segoon@xxxxxxxxxxxx, rostedt@xxxxxxxxxxx, jmorris@xxxxxxxxx, scarybeasts@xxxxxxxxx, avi@xxxxxxxxxx, penberg@xxxxxxxxxxxxxx, viro@xxxxxxxxxxxxxxxxxx, mingo@xxxxxxx, akpm@xxxxxxxxxxxxxxxxxxxx, khilman@xxxxxx, borislav.petkov@xxxxxxx, amwang@xxxxxxxxxx, oleg@xxxxxxxxxx, ak@xxxxxxxxxxxxxxx, eric.dumazet@xxxxxxxxx, gregkh@xxxxxxx, dhowells@xxxxxxxxxx, daniel.lezcano@xxxxxxx, linux-fsdevel@xxxxxxxxxxxxxxx, linux-security-module@xxxxxxxxxxxxxxx, olofj@xxxxxxxxxxxx, mhalcrow@xxxxxxxxxx, dlaor@xxxxxxxxxx, corbet@xxxxxxx, alan@xxxxxxxxxxxxxxxxxxx
In-reply-to: <CALCETrVMYaz0F9N5aecLJCo3da6zAE3hw+kEH+UFBoajjVu0sw@mail.gmail.com>

On Mon, 2012-01-30 at 14:43 -0800, Andy Lutomirski wrote:

> You don't need a setuid binary.  Just have an initscript set up the bind mounts.

The point is that dchroot is already setuid root, and calls chroot, so
it gains nothing from the ability to do it unprivileged.

(And wow, I just looked at the source, it's a setuid C++ binary!  Using
boost.  Ugh...)



--
To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Follow-Ups:
- Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
  - From: Andy Lutomirski

References:
- [PATCH v3 0/4] PR_SET_NO_NEW_PRIVS, unshare, and chroot
  - From: Andy Lutomirski
- [PATCH v3 4/4] Allow unprivileged chroot when safe
  - From: Andy Lutomirski
- Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
  - From: Colin Walters
- Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
  - From: Andy Lutomirski
- Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
  - From: Colin Walters
- Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
  - From: Andy Lutomirski

Prev by Date: Re: [PATCH v5 2/3] seccomp_filters: system call filtering using BPF
Next by Date: Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
Previous by thread: Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
Next by thread: Re: [PATCH v3 4/4] Allow unprivileged chroot when safe
Index(es):
- Date
- Thread

[Index of Archives] [Linux Ext4 Filesystem] [Union Filesystem] [Filesystem Testing] [Ceph Users] [Ecryptfs] [AutoFS] [Kernel Newbies] [Share Photos] [Security] [Netfilter] [Bugtraq] [Yosemite News] [MIPS Linux] [ARM Linux] [Linux Security] [Linux Cachefs] [Reiser Filesystem] [Linux RAID] [Samba] [Device Mapper] [CEPH Development]