From owner-freebsd-security@FreeBSD.ORG  Tue Jul 17 03:40:47 2007
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
X-Original-To: freebsd-security@freebsd.org
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 50A2E16A402
	for <freebsd-security@freebsd.org>;
	Tue, 17 Jul 2007 03:40:47 +0000 (UTC)
	(envelope-from stef@memberwebs.com)
Received: from mx.npubs.com (mail.wsfamily.com [209.66.100.224])
	by mx1.freebsd.org (Postfix) with ESMTP id 3E2EF13C4A7
	for <freebsd-security@freebsd.org>;
	Tue, 17 Jul 2007 03:40:47 +0000 (UTC)
	(envelope-from stef@memberwebs.com)
Received: from mx.npubs.com (avhost [209.66.100.194])
	by mx.npubs.com (Postfix) with ESMTP id 84914D4F8F
	for <freebsd-security@freebsd.org>;
	Tue, 17 Jul 2007 03:22:04 +0000 (UTC)
Received: from northstar-srv2 (unknown [172.27.2.11])
	by mx.npubs.com (Postfix) with ESMTP id 09BA8D4F8E
	for <freebsd-security@freebsd.org>;
	Tue, 17 Jul 2007 03:22:03 +0000 (UTC)
From: Stef Walter <stef@memberwebs.com>
User-Agent: Thunderbird 1.5.0.12 (X11/20070604)
MIME-Version: 1.0
To: freebsd-security@freebsd.org
X-Enigmail-Version: 0.94.2.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Message-Id: <20070717032204.09BA8D4F8E@mx.npubs.com>
X-Virus-Scanned: ClamAV using ClamSMTP
Date: Tue, 17 Jul 2007 03:22:04 +0000 (UTC)
X-Mailman-Approved-At: Tue, 17 Jul 2007 04:13:41 +0000
Subject: kern.chroot_allow_open_directories
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Security issues \[members-only posting\]"
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>, 
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 17 Jul 2007 03:40:47 -0000

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The chroot(2) man page describes a sysctl called
'kern.chroot_allow_open_directories' which controls whether a process
can chroot() and is already subject to the chroot() syscall.

It seems that this sysctl can be trivially changed from within a
chroot'd process (ie: if that process has superuser privileges).

Is this sysctl meant to prevent breaking out of a chroot? Or am I
missing the point of 'kern.chroot_allow_open_directories'?

Cheers,
Stef
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFGnC7+e/sRCNknZa8RAhaJAKCSioePX83kGugueXzjs8MSz3KN+wCgmzMl
FvJxyklaeTGOcN1NSjl/llY=
=mrWp
-----END PGP SIGNATURE-----