Re: Different roots for each process possible?

[Gordon Matzigkeit <gord@fig.org>]

>>>>> Robert Bihlmeyer writes:

 Robbe> Roland McGrath <frob@debian.org> writes:
 >> > On most systems, I believe the easiest way of breaking a chroot
 >> jail as > root is: > > mkdir("whatever"); > /* lower the roof of
 >> the jail */ > chroot("whatever"); > /* we are now above the roof,
 >> and can fly away */ > chdir("../../../..");
 >> 
 >> This case was previously discussed here.  This circumvention works
 >> on the Hurd too, and it makes perfect sense that both Unix and the
 >> Hurd work this way.  That's why chroot should always be followed
 >> by chdir("/").

 Robbe> Bad code can still use the above sequence to escape after the
 Robbe> chdir.  Ready-to-compile example (dirty, without any
 Robbe> error-checking):

I think there's a misunderstanding here.  The conclusion of the
previous discussion was that chroot ("some/subdir") when not followed
by a chdir ("/") would leave the system in a state where everything
accessible before the chroot would still be accessible.

It would *not* magically grant access to anything that was previously
inaccessible.

chroot on Unix just keeps track of the process's current root inode.
chroot on the Hurd actually changes the semantics of the specified
node so that you can't cd from it to its former parents.  You can have
as many of these reparented nodes as you want... adding more won't
somehow make the old ones misbehave and grant you access to a parent
you didn't have before.

Please, anybody, correct me if I'm wrong.  This is just what I gleaned
from prior discussions, and reading the implementation.

 Robbe> Morale of the story: keeping a uid=0 process in a chroot jail
 Robbe> is moderately pointless. Give it a higher uid, too.

I don't think that's necessary, for the reasons above.

-- 
 Gordon Matzigkeit <gord@fig.org>  //\ I'm a FIG (http://fig.org/)
Committed to freedom and diversity \//  Run Bash (http://fig.org/gnu/bash/)