Skip site navigation (1)Skip section navigation (2) 
Date:      Mon, 4 Aug 2025 15:22:06 +0300
From:      Vadim Goncharov <vadimnuclight@gmail.com>
To:        Jason Bacon <bacon4000@gmail.com>
Cc:        freebsd-hackers <hackers@freebsd.org>
Subject:   Re: Non-root chroot
Message-ID:  <20250804152206.36bba026@nuclight.lan>
In-Reply-To: <840aa772-8656-4970-9885-6c4533c790c2@gmail.com>
References:  <aa1950e6-46d0-44ed-8487-df45bad8b3c8@gmail.com> <20250801155536.5aceeba0@nuclight.lan> <840aa772-8656-4970-9885-6c4533c790c2@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help 

On Fri, 1 Aug 2025 17:04:24 -0500
Jason Bacon <bacon4000@gmail.com> wrote:

> > What you want is called jail(8) and it was designed quarter of century
> > ago exactly to overcome chroot() problems:
> > https://papers.freebsd.org/2000/phk-jails/
> > (because one cannot just fix chroot)
> > 
> > Nowadays, there are many jail wrappers so your task of same user
> > unpriviliged user inside is highly likely solved already.
> >   
> 
> I'm aware of jails, which I use regularly for poudriere testing, but I'm 
> under the impression that they also require root privileges at some 
> level.  To be clear, are you saying that a non-privileged user, with no 
> ability to edit system files or change sysctls can create a jail in user 
> space with no assistance from the sysadmin?  So far I have not found a 
> way to do this.

I did not even look for exactly this requirement, but e.g. page
https://wiki.freebsd.org/JailingGUIApplications has example of sudo settings
and in first paragraphs refers to forum post which uses e.g. jailme utility
(and also iocage, some of many jail wrappers I've mentioned above; other
popular manager is cbsd); may be some of them can do what you want, check
yourself.

> Ultimately I would like the tools I'm developing to be usable by 
> scientific researchers using institutionally-managed, shared systems, 
> where enabling something like security.bsd.unprivileged_chroot is not 
> possible for the user and probably a good idea anyway.

You need to be sure user alaways passed `-n` to chroot utility to have
jailbreaking non-possible, which is of course not guaranteed until you trust
your users to give them root anyway.

-- 
WBR, @nuclight

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20250804152206.36bba026>