Date: Fri, 16 Oct 2020 18:12:05 -0600 From: Warner Losh <imp@bsdimp.com> To: Yuri <yuri@rawbw.com> Cc: Kyle Evans <kevans@freebsd.org>, Freebsd hackers list <freebsd-hackers@freebsd.org> Subject: Re: Is it possible to exit the chroot(2) environment? Message-ID: <CANCZdfqSN8oPd1bTOxRKAyH0QXo-qMXiGaGCwjLuQQvB3a1jbQ@mail.gmail.com> In-Reply-To: <2886aa43-0145-54e6-b532-18d1865047c6@rawbw.com> References: <b6412618-02ec-1dbd-f474-b4412d7b774b@rawbw.com> <CANCZdfqJ14-Cpvi9%2Bd%2BHRgWbHk7vDUNNOKLUVOC9iBUqZKX=Pw@mail.gmail.com> <CACNAnaFVg2yZnWbfC=MmPfQ==XZYssHFuz%2BCjz%2B67TkZ108qRA@mail.gmail.com> <CACNAnaF-psLeTzwk=HygP4ESEynRyR-m62T1FAjw=ON6J2PVTg@mail.gmail.com> <a488f94a-6efc-27f3-d0a4-489f6f99772d@rawbw.com> <CACNAnaG_u1aVRJpKeb9n0rK4UqRRZDGBt7i=iRtPf-7kxqYQBw@mail.gmail.com> <9fa46833-63c2-a77f-98dd-111f6502dc74@rawbw.com> <CACNAnaFqtpDkd76Z3vAUMcCMwTpMyfy91NPyufeVd%2B8UAqZHKQ@mail.gmail.com> <CANCZdfrzCuR4W-JzoFPyW6WCwVJGwQfuesjmCBMRMSnvfXdv7Q@mail.gmail.com> <CACNAnaGgk6NoxD3kXGpbtAZk%2Bbc%2B2XVc%2B1sO06QU1e%2BKp9CZwQ@mail.gmail.com> <2886aa43-0145-54e6-b532-18d1865047c6@rawbw.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 16, 2020, 6:01 PM Yuri <yuri@rawbw.com> wrote: > On 9/27/20 1:25 PM, Kyle Evans wrote: > > +1. I think an additional sentence pointing out that that's the > > traditional behavior would outline that this is perhaps what's needed, > > maybe with a specific EPERM reference. > > > > It's tempting to also propose switching it to the even-more-strict 0 > > at some point, perhaps considering a procctl(2) if we really find some > > scenarios where it's absolutely necessary... we'll leave that battle > > to a different day, though. > > > I have several questions though: > > 1) What does this check really guard against? > kern.chroot_allow_open_directories=0 prevents chroot(2) when there are > open directories, and kern.chroot_allow_open_directories=1 prevents exit > from chrooted environment when there were open directories. But what is > the benefit? The process opened some directories and holds open file > handles. How can this interfere with choot? What could go wrong that is > prevented by this check? > Some users of chroot don't want to exit the chroot environment. It's more or a security thing. This is a very different intended use pattern than your case. That's why it's a knob: it is more secure by default. One might ask if such a default makes sense in a jail world... that's a fair question. 2) Why is there no similar check for open files? Why directories are > special? > Open directories can lead to jailbreak. Special files generally can't. Warner > Thank you, > > Yuri > > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfqSN8oPd1bTOxRKAyH0QXo-qMXiGaGCwjLuQQvB3a1jbQ>