From owner-freebsd-security  Sat Nov  2 21:10:21 1996
Return-Path: owner-security
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.5/8.7.3) id VAA23534
          for security-outgoing; Sat, 2 Nov 1996 21:10:21 -0800 (PST)
Received: from ocean.campus.luth.se (ocean.campus.luth.se [130.240.194.116])
          by freefall.freebsd.org (8.7.5/8.7.3) with ESMTP id VAA23521
          for <freebsd-security@freebsd.org>; Sat, 2 Nov 1996 21:10:16 -0800 (PST)
Received: (from karpen@localhost) by ocean.campus.luth.se (8.7.5/8.7.3) id GAA14093; Sun, 3 Nov 1996 06:11:20 +0100 (MET)
From: Mikael Karpberg <karpen@ocean.campus.luth.se>
Message-Id: <199611030511.GAA14093@ocean.campus.luth.se>
Subject: Re: chroot() security
To: newton@communica.com.au (Mark Newton)
Date: Sun, 3 Nov 1996 06:11:20 +0100 (MET)
Cc: freebsd-security@freebsd.org
In-Reply-To: <9611021806.AA19481@communica.com.au> from Mark Newton at "Nov 3, 96 04:36:41 am"
X-Mailer: ELM [version 2.4ME+ PL22 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
Sender: owner-security@freebsd.org
X-Loop: FreeBSD.org
Precedence: bulk

According to Mark Newton:
[...]
> Note that I'm not suggesting this as something that should be added to
> FreeBSD per se;  Rather, I'm suggesting that users of FreeBSD in security-
> critical environments can benefit from having kernel sources by taking
> the opportunity to "harden" their kernel.  Those who make the attempt
> will find that once their security policy has been codified in written form,
> translating that written form to source code is surprisingly easy
> (interdependencies and subtle interrelationships notwithstanding - Be
> careful!).  The suggestion given above, for example, can be implemented
> with just a few lines of C.  

(Gives me some ideas. Thought I'd share them.)

Why not? Make an option for it in the LINT file, and just #ifdef it?

option SAFER_CHROOT      #Warning, this might break some executables.

Something like it, at least?
Or maybe make some sysclt or something where you can set it on a per
process basis?
And/Or have a safer_chroot() or no_setuid_chroot() lib call that lets you
add a FreeBSD specific (unless this is copied to other OSes) patch in ports,
etc to make some programs more secure?

I have no idea how braindamaged any of these ideas are, and for what reason,
but I thought I'd see the reactions on this.

  /Mikael