From owner-freebsd-arch@FreeBSD.ORG  Mon Jun 16 16:13:24 2014
Return-Path: <owner-freebsd-arch@FreeBSD.ORG>
Delivered-To: freebsd-arch@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [8.8.178.115])
 (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits))
 (No client certificate requested)
 by hub.freebsd.org (Postfix) with ESMTPS id A87F4E52
 for <freebsd-arch@FreeBSD.org>; Mon, 16 Jun 2014 16:13:24 +0000 (UTC)
Received: from kenobi.freebsd.org (kenobi.freebsd.org
 [IPv6:2001:1900:2254:206a::16:76])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by mx1.freebsd.org (Postfix) with ESMTPS id 9032621EF
 for <freebsd-arch@FreeBSD.org>; Mon, 16 Jun 2014 16:13:24 +0000 (UTC)
Received: from bugs.freebsd.org ([127.0.1.118])
 by kenobi.freebsd.org (8.14.8/8.14.8) with ESMTP id s5GGDOf5058078
 for <freebsd-arch@FreeBSD.org>; Mon, 16 Jun 2014 17:13:24 +0100 (BST)
 (envelope-from bugzilla-noreply@freebsd.org)
From: bugzilla-noreply@freebsd.org
To: freebsd-arch@FreeBSD.org
Subject: [Bug 121073] [kernel] [patch] run chroot as an unprivileged user
Date: Mon, 16 Jun 2014 16:13:24 +0000
X-Bugzilla-Reason: CC
X-Bugzilla-Type: changed
X-Bugzilla-Watch-Reason: None
X-Bugzilla-Product: Base System
X-Bugzilla-Component: kern
X-Bugzilla-Version: 8.0-CURRENT
X-Bugzilla-Keywords: 
X-Bugzilla-Severity: Affects Only Me
X-Bugzilla-Who: nwhitehorn@FreeBSD.org
X-Bugzilla-Status: In Discussion
X-Bugzilla-Priority: Normal
X-Bugzilla-Assigned-To: freebsd-bugs@FreeBSD.org
X-Bugzilla-Target-Milestone: ---
X-Bugzilla-Flags: 
X-Bugzilla-Changed-Fields: 
Message-ID: <bug-121073-24229-J4iGiQJ3AI@https.bugs.freebsd.org/bugzilla/>
In-Reply-To: <bug-121073-24229@https.bugs.freebsd.org/bugzilla/>
References: <bug-121073-24229@https.bugs.freebsd.org/bugzilla/>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
X-Bugzilla-URL: https://bugs.freebsd.org/bugzilla/
Auto-Submitted: auto-generated
MIME-Version: 1.0
X-BeenThere: freebsd-arch@freebsd.org
X-Mailman-Version: 2.1.18
Precedence: list
List-Id: Discussion related to FreeBSD architecture <freebsd-arch.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/options/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-arch/>
List-Post: <mailto:freebsd-arch@freebsd.org>
List-Help: <mailto:freebsd-arch-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-arch>,
 <mailto:freebsd-arch-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Mon, 16 Jun 2014 16:13:24 -0000

https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073

--- Comment #9 from Nathan Whitehorn <nwhitehorn@FreeBSD.org> ---
There are, I think, two potential security issues here:
1. Many pieces of software assume that if you chroot and drop privileges, no
further chroot is possible.
2. There could be sneaky ways of obtaining privileges once no-new-privileges is
set.

(1) is pretty straightforward since we can just disallow unprivileged chroot
after any other chroot. (2) is the complex one. Are there others?

Some no-cred-change property for processes seems extremely useful from a
security perspective and, if we have one we could trust, this patch becomes
trivial. Would it make sense just to work on that first and come back to
unprivileged chroot later?

-- 
You are receiving this mail because:
You are on the CC list for the bug.