Date: Thu, 24 Dec 1998 09:45:56 +1030 (CDT) From: Mark Newton <newton@camtech.com.au> To: eivind@yes.no (Eivind Eklund) Cc: casper@acc.am, freebsd-security@FreeBSD.ORG Subject: Re: About chroot Message-ID: <199812232315.JAA13917@frenzy.ct> In-Reply-To: <19981223142742.Q24362@follo.net> from Eivind Eklund at "Dec 23, 98 02:27:42 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
Eivind Eklund wrote:
> On Wed, Dec 23, 1998 at 02:10:18PM +0400, Casper wrote:
> > OK, thanx ... i'll look for this patch
>
> (Safer chroot) That patch is not publically available yet.
k, until it is...
I have a patch which completely disables chroot() for processes which
have already been chroot()'ed (by making chroot() fail with EPERM
if the process' root directory is not the same as init's root directory
whether it's being called by the superuser or not).
I've posted it here before anything up to a year ago and don't recall
{any/much} complaining about it.
It breaks traditional semantics so it should be optional (if you are
running the kind of site that finds such a patch necessary you probably
think that securing chroot() is more important than preserving traditional
semantics anyway).
If there's support for this (especially from the security guys) I can
wrap it in a sysctl knob and commit it (with notes in the chroot(2)
manpage describing the knob of course).
- mark
---
Mark Newton Email: newton@camtech.com.au
Systems Engineer and Senior Trainer Phone: +61-8-8303-3300
Camtech (SA), a member of the Fax: +61-8-8303-4403
CAMTECH group of companies WWW: http://www.camtech.com.au
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199812232315.JAA13917>