Re: Different roots for each process possible?

[nisse@lysator.liu.se (Niels Möller)]

Roland McGrath <roland@frob.com> writes:

> Nothing prevents you from doing that, because you are keeping a pointer, in
> the form of the current working directory, to a pre-chroot directory.  So
> it is important that programs using chroot for security do chdir("/") or
> suchlike immediately after chroot.

It seems I wasn't clear enough. Say you want to start the program
"prisoner" inside a chroot prison:

  $ echo Freedom >/the/file
  $ chroot /the/prison  # Change root
  $ cd /                # Move cwd inside prison
  $ prisoner            # Start prisoner

Now, the prisoner doesn't have any references to the outside of the
prison, you made sure of that (I'm ignoring some other potential
problems like other processes that the prisoner might attcah a
debugger to). But watch him breaking out using only another chroot...

  $ mkdir foo
  $ chroot foo          # Shrink the prison, without changing the cwd.
  $ cat ../file         # Now our cwd is outside the prison! Use it.
  Freedom

So on unix, you have to do

  $ chroot /the/prison
  $ cd /
  $ su some-non-root-user prisoner

and rely on non-root users not having enough privileges to use chroot.

/Niels