[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: chroot wrapper? (Re: Another pbuilder run finished)

On Thu, 2 Jan 2003 18:05, Adrian 'Dagurashibanipal' von Bidder wrote:
> Is there any reason (beyond Unix history), why chroot is root-only? Can
> anything bad happen at all?

On a typical Unix setup you can escape from a chroot environment via another 
chroot.  So making it root-only means that a non-root process in a chroot 
environment is trapped.

Of course there are other solutions to this (grsec and selinux).

> A suid version of chroot would perhaps be interesting (of course, the
> command given to chroot would be executed by the normal user)

One thing I'm working on is a SUID root program to chroot and run a chroot as 
root (with SE Linux to control it so that it can't do any harm).

-- 
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page
Reply to: