Skip site navigation (1)Skip section navigation (2)
Date:      Fri, 16 Oct 2020 18:12:05 -0600
From:      Warner Losh <imp@bsdimp.com>
To:        Yuri <yuri@rawbw.com>
Cc:        Kyle Evans <kevans@freebsd.org>, Freebsd hackers list <freebsd-hackers@freebsd.org>
Subject:   Re: Is it possible to exit the chroot(2) environment?
Message-ID:  <CANCZdfqSN8oPd1bTOxRKAyH0QXo-qMXiGaGCwjLuQQvB3a1jbQ@mail.gmail.com>
In-Reply-To: <2886aa43-0145-54e6-b532-18d1865047c6@rawbw.com>
References:  <b6412618-02ec-1dbd-f474-b4412d7b774b@rawbw.com> <CANCZdfqJ14-Cpvi9%2Bd%2BHRgWbHk7vDUNNOKLUVOC9iBUqZKX=Pw@mail.gmail.com> <CACNAnaFVg2yZnWbfC=MmPfQ==XZYssHFuz%2BCjz%2B67TkZ108qRA@mail.gmail.com> <CACNAnaF-psLeTzwk=HygP4ESEynRyR-m62T1FAjw=ON6J2PVTg@mail.gmail.com> <a488f94a-6efc-27f3-d0a4-489f6f99772d@rawbw.com> <CACNAnaG_u1aVRJpKeb9n0rK4UqRRZDGBt7i=iRtPf-7kxqYQBw@mail.gmail.com> <9fa46833-63c2-a77f-98dd-111f6502dc74@rawbw.com> <CACNAnaFqtpDkd76Z3vAUMcCMwTpMyfy91NPyufeVd%2B8UAqZHKQ@mail.gmail.com> <CANCZdfrzCuR4W-JzoFPyW6WCwVJGwQfuesjmCBMRMSnvfXdv7Q@mail.gmail.com> <CACNAnaGgk6NoxD3kXGpbtAZk%2Bbc%2B2XVc%2B1sO06QU1e%2BKp9CZwQ@mail.gmail.com> <2886aa43-0145-54e6-b532-18d1865047c6@rawbw.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Oct 16, 2020, 6:01 PM Yuri <yuri@rawbw.com> wrote:

> On 9/27/20 1:25 PM, Kyle Evans wrote:
> > +1. I think an additional sentence pointing out that that's the
> > traditional behavior would outline that this is perhaps what's needed,
> > maybe with a specific EPERM reference.
> >
> > It's tempting to also propose switching it to the even-more-strict 0
> > at some point, perhaps considering a procctl(2) if we really find some
> > scenarios where it's absolutely necessary... we'll leave that battle
> > to a different day, though.
>
>
> I have several questions though:
>
> 1) What does this check really guard against?
> kern.chroot_allow_open_directories=0 prevents chroot(2) when there are
> open directories, and kern.chroot_allow_open_directories=1 prevents exit
> from chrooted environment when there were open directories. But what is
> the benefit? The process opened some directories and holds open file
> handles. How can this interfere with choot? What could go wrong that is
> prevented by this check?
>

Some users of chroot don't want to exit the chroot environment. It's more
or a security thing. This is a very different intended use pattern than
your case. That's why it's a knob: it is more secure by default.

One might ask if such a default makes sense in a jail world... that's a
fair question.

2) Why is there no similar check for open files? Why directories are
> special?
>

Open directories can lead to jailbreak. Special files generally can't.

Warner



> Thank you,
>
> Yuri
>
>
>



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CANCZdfqSN8oPd1bTOxRKAyH0QXo-qMXiGaGCwjLuQQvB3a1jbQ>