Date: Mon, 16 Jun 2014 12:19:41 +0000 From: bz-noreply@freebsd.org To: freebsd-arch@FreeBSD.org Subject: [Bug 121073] [kernel] [patch] run chroot as an unprivileged user Message-ID: <bug-121073-24229-DRzeZW4usT@https.bugs.freebsd.org/bugzilla/> In-Reply-To: <bug-121073-24229@https.bugs.freebsd.org/bugzilla/> References: <bug-121073-24229@https.bugs.freebsd.org/bugzilla/>
next in thread | previous in thread | raw e-mail | index | archive | help
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073 Robert Watson <rwatson@FreeBSD.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |rwatson@FreeBSD.org --- Comment #8 from Robert Watson <rwatson@FreeBSD.org> --- A appreciate the desirability for the features implied by this change, but given the propensity for vulnerabilities relating to chroot() in the past, think we should take a very conservative approach to potentially adopting it. There's a particular concern with how it interacts with non-UNIX-ID-based models -- e.g., MAC, Capsicum, Audit, Jail, as well as a future fine-grained privilege model. Overall, I'd rate this proposed change as "extremely high risk; we will fix multiple vulnerabilities in it in the future," and so that cost would need to be carefully weighed against presumed benefit -- a fine-grained privilege model in which PRIV_CHROOT is delegable to only specific users or roles would help mitigate that risk. I wonder if a more suitable name for the proposed P_NOSUGID would be P_NOCREDCHANGE, and I also wonder if it should be CR_NOCREDCHANGE. -- You are receiving this mail because: You are on the CC list for the bug.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?bug-121073-24229-DRzeZW4usT>