Re: Different roots for each process possible?

To: nisse@lysator.liu.se (Niels Möller)
Cc: "Stefan Karrmann" <sk@mathematik.uni-ulm.de>, debian-hurd@lists.debian.org
Subject: Re: Different roots for each process possible?
From: Roland McGrath <roland@frob.com>
Date: Wed, 17 Jan 2001 18:34:42 -0500 (EST)
Message-id: <[🔎] 200101172334.f0HNYgA25660@neuralgia.linnaean.org>
In-reply-to: Niels Möller's message of , 18 January 2001 00:20:09 +0100 <[🔎] nng0ihepg6.fsf@sture.lysator.liu.se>

> Hmm. On Unix, the reason why chroot requiers special privileges, is
> that if you are inside a chroot prison and is allowed to call chroot,
> you can do
> 
>   cd /       # Get to the top of the prison.
>   mkdir foo
>   chroot foo # Lower the ceiling.
>   cd ..      # We're above the ceiling, so just fly away.

Nothing prevents you from doing that, because you are keeping a pointer, in
the form of the current working directory, to a pre-chroot directory.  So
it is important that programs using chroot for security do chdir("/") or
suchlike immediately after chroot.

The way chroot works in the Hurd is that the root directory port is
replaced by a port on which lookups of ".." just go to ".".  Any ports
looked up from that directory have pointers back to that context, and
travelling back up by ".." links retains that context.  So there are no
lookups that can see out of the "prison"--only preexisting pointers like
the cwd or file descriptors.  (And of course a setuid exec will revert to
the system-global root directory.)

Reply to:

Follow-Ups:
- Re: Different roots for each process possible?
  - From: nisse@lysator.liu.se (Niels Möller)

References:
- Re: Different roots for each process possible?
  - From: nisse@lysator.liu.se (Niels Möller)

Prev by Date: Re: Different roots for each process possible?
Next by Date: Re: Different roots for each process possible?
Previous by thread: Re: Different roots for each process possible?
Next by thread: Re: Different roots for each process possible?
Index(es):
- Date
- Thread