Date: Wed, 4 Jan 2012 02:04:20 +0000 (UTC) From: Xin LI <delphij@FreeBSD.org> To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r229459 - head/lib/libc/sys Message-ID: <201201040204.q0424KwA054581@svn.freebsd.org>
next in thread | raw e-mail | index | archive | help
Author: delphij Date: Wed Jan 4 02:04:20 2012 New Revision: 229459 URL: http://svn.freebsd.org/changeset/base/229459 Log: Document the fact that chroot(2) is no longer part of POSIX since SUSv3 and add a SECURITY CONSIDERATIONS section for recommended practices. Modified: head/lib/libc/sys/chroot.2 Modified: head/lib/libc/sys/chroot.2 ============================================================================== --- head/lib/libc/sys/chroot.2 Wed Jan 4 02:03:15 2012 (r229458) +++ head/lib/libc/sys/chroot.2 Wed Jan 4 02:04:20 2012 (r229459) @@ -28,7 +28,7 @@ .\" @(#)chroot.2 8.1 (Berkeley) 6/4/93 .\" $FreeBSD$ .\" -.Dd June 4, 1993 +.Dd January 3, 2012 .Dt CHROOT 2 .Os .Sh NAME @@ -134,9 +134,27 @@ The .Fn chroot system call appeared in .Bx 4.2 . +It was marked as +.Dq legacy +in +.St -susv2 , +and was removed in subsequent standards. .Sh BUGS If the process is able to change its working directory to the target directory, but another access control check fails (such as a check for open directories, or a MAC check), it is possible that this system call may return an error, with the working directory of the process left changed. +.Sh SECURITY CONSIDERATIONS +The system have many hardcoded paths to files where it may load after +the process starts. +It is generally recommended to drop privileges immediately after a +successful +.Nm +call, +and restrict write access to a limited subtree of the +.Nm +root, +for instance, +setup the sandbox so that the sandboxed user will have no write +access to any well-known system directories.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201201040204.q0424KwA054581>