Date: Fri, 1 Aug 2025 17:04:24 -0500 From: Jason Bacon <bacon4000@gmail.com> To: Vadim Goncharov <vadimnuclight@gmail.com> Cc: freebsd-hackers <hackers@freebsd.org> Subject: Re: Non-root chroot Message-ID: <840aa772-8656-4970-9885-6c4533c790c2@gmail.com> In-Reply-To: <20250801155536.5aceeba0@nuclight.lan> References: <aa1950e6-46d0-44ed-8487-df45bad8b3c8@gmail.com> <20250801155536.5aceeba0@nuclight.lan>
index | next in thread | previous in thread | raw e-mail
On 8/1/25 07:55, Vadim Goncharov wrote: > On Fri, 1 Aug 2025 07:19:36 -0500 > Jason Bacon <bacon4000@gmail.com> wrote: > >> I'm wondering if there is any way to perform a simple chroot without >> having root privileges. The goal is to test software builds with access >> to a limited set of dependencies, as poudriere does, but outside the >> FreeBSD ports system, and in some cases on hosts where the user has no >> root access. This will prevent configure scripts with hard-coded search >> paths from finding things we don't want them to find. Portability to >> other POSIX platforms would be desirable as well, but is not essential. >> >> It's not clear to me why chroot() wasn't designed to support this use >> case. There's lots of documentation stating that it's a security risk, >> but I don't see why it couldn't have been designed to be run by a >> regular user without escalating privileges inside the chroot. I.e. if >> user "joe" does such a user-level chroot call, then all chrooted >> processes run as "joe", but with the path of the chroot dir prepended to >> every open() call (after $CWD is prepended to relative paths, of >> course), so that processes can only access files in the chroot dir. >> User "joe" would have the same privileges inside the chroot that he has >> on the host. One of the other security concerns mentioned is jail >> breaks, but if joe managed to escape the chroot, he'd only be hurting >> himself by borking the test build, so that's not a concern here. >> >> It might be possible to port fakechroot >> (https://github.com/dex4er/fakechroot), proot >> (https://github.com/proot-me/proot), or something similar, but is there >> anything else on FreeBSD that can do this? > > What you want is called jail(8) and it was designed quarter of century > ago exactly to overcome chroot() problems: > https://papers.freebsd.org/2000/phk-jails/ > (because one cannot just fix chroot) > > Nowadays, there are many jail wrappers so your task of same user > unpriviliged user inside is highly likely solved already. > I'm aware of jails, which I use regularly for poudriere testing, but I'm under the impression that they also require root privileges at some level. To be clear, are you saying that a non-privileged user, with no ability to edit system files or change sysctls can create a jail in user space with no assistance from the sysadmin? So far I have not found a way to do this. Ultimately I would like the tools I'm developing to be usable by scientific researchers using institutionally-managed, shared systems, where enabling something like security.bsd.unprivileged_chroot is not possible for the user and probably a good idea anyway. -- Life is a game. Play hard. Play fair. Have fun.home | help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?840aa772-8656-4970-9885-6c4533c790c2>