Date: Sat, 30 Sep 2000 18:34:06 -0400 (EDT) From: Robert Watson <rwatson@FreeBSD.org> To: "Brian F. Feldman" <green@FreeBSD.org> Cc: Mike Silbersack <silby@silby.com>, security@FreeBSD.org Subject: Re: cvs commit: ports/mail/pine4 Makefile (fwd) Message-ID: <Pine.NEB.3.96L.1000930183027.44353A-100000@fledge.watson.org> In-Reply-To: <200009302138.e8ULcW544214@green.dyndns.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 30 Sep 2000, Brian F. Feldman wrote: > > user-chrooting would be excellent. Chrooting MUAs / web browsers / etc > > would be a nice feature no matter how secure the program in question seems > > to be. If you get it implemented, I'll be the first to use the > > feature. :) > > > > Mike "Silby" Silbersack > > Cool :) I use it, for example, for fuzz; it works quite nicely for that. I > think I have taken care of all the possible negative interactions and made > it safe, so it does need a review, but I'm fairly sure that many people will > want to be able to do chroot without being root. There's a difference between "chroot that is safe for normal users to use" and "chroot that is safe to contain a malicious process". Having glanced at these changes before, it may be that they allow normal users to make use of chroot() without endangering system integrity, but they do not allow for an effective sandbox for the purposes of security. Unless appropriate mandatory inter-process and privilege restrictions are in place, chroot() should not be used for security purposes, only to allow for nested file system environments (i.e., compilation, release building, etc). Using only chroot() and the ability to execute arbitrary code, it is easy to break out of a user-initiated sandbox if any processes owned by the same user are present outside of the sandbox. Robert N M Watson robert@fledge.watson.org http://www.watson.org/~robert/ PGP key fingerprint: AF B5 5F FF A6 4A 79 37 ED 5F 55 E9 58 04 6A B1 TIS Labs at Network Associates, Safeport Network Services To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.NEB.3.96L.1000930183027.44353A-100000>