From owner-freebsd-security@FreeBSD.ORG  Sun Apr 13 08:20:46 2003
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Delivered-To: freebsd-security@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id A5E2637B401
	for <freebsd-security@freebsd.org>;
	Sun, 13 Apr 2003 08:20:46 -0700 (PDT)
Received: from metathink.com (metathink.com [192.220.74.80])
	by mx1.FreeBSD.org (Postfix) with SMTP id 4083D43F85
	for <freebsd-security@freebsd.org>;
	Sun, 13 Apr 2003 08:20:46 -0700 (PDT)	(envelope-from mns@BEST.COM)
Received: (qmail 57332 invoked by uid 19024); 13 Apr 2003 15:28:39 -0000
Received: from unknown (HELO mark600x.BEST.COM) ([192.220.74.80])
	(envelope-sender <mns@BEST.COM>)
	by 192.220.74.80 (qmail-ldap-1.03) with SMTP
	for <mns-file-in-sent-mail@metathink.com>; 13 Apr 2003 15:28:39 -0000
Message-Id: <5.2.0.9.2.20030413101417.022481b0@127.0.0.1>
X-Sender: (Unverified)
X-Mailer: QUALCOMM Windows Eudora Version 5.2.0.9
Date: Sun, 13 Apr 2003 10:20:35 -0500
To: freebsd-security@freebsd.org
From: Mark Shepard <mns@BEST.COM>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Subject: chroot() as non-root user?
X-BeenThere: freebsd-security@freebsd.org
X-Mailman-Version: 2.1.1
Precedence: list
List-Id: Security issues [members-only posting]
	<freebsd-security.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-security>
List-Post: <mailto:freebsd-security@freebsd.org>
List-Help: <mailto:freebsd-security-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-security>,
	<mailto:freebsd-security-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Apr 2003 15:20:46 -0000


I suspect this has been asked before but I'll ask anyway.

Q1: Is it possible for a non-root process to perform a chroot?

My interest is this:  I have a typical ISP hosting account (verio; on a 
FreeBSD 4.4 server.)  I'd like to install and run various CGI packages, yet 
protect myself (and my email, and my .ssh keys) from bugs being exploited 
in those CGI packages.  Chroot at the start of each CGI would do the trick, 
but requires root.  I suspect the answer here is "only root can do this"... 
which leads me to ask, in general:

Q2:  Why is chroot() only available to root?  I'm aware of *one* security 
issue:  if a non-root user can perform chroot(), they can alter the 
name-space "seen" by setuid programs, and potentially compromise them 
(assuming a user-writable directory [like /tmp] on the same partition as a 
setuid program.)  Are there any other reasons?  (Besides the issues with 
fchdir() which I assume are adequately fixed).  Assuming there aren't any 
other issues leads to my last Q... Actually, a proposal:

Q3:  Why not allow non-root users to chroot() _as long as the target dir. 
is on a partition mounted nosuid_?  Seems like this would be a simple 
mechanism (both to understand and to implement) and would allow regular 
users to take advantage of chroot to improve the security of scripts, CGIs, 
etc.

	Mark