Re: [PATCH v3 4/4] Allow unprivileged chroot when safe

From: Andy Lutomirski
Date: Mon Jan 30 2012 - 17:44:13 EST


On Mon, Jan 30, 2012 at 2:41 PM, Colin Walters <walters@xxxxxxxxxx> wrote:
> On Mon, 2012-01-30 at 14:10 -0800, Andy Lutomirski wrote:
>> On Mon, Jan 30, 2012 at 1:58 PM, Colin Walters <walters@xxxxxxxxxx> wrote:
>> > On Mon, 2012-01-30 at 08:17 -0800, Andy Lutomirski wrote:
>> >> Chroot can easily be used to subvert setuid programs.  If no_new_privs,
>> >> then setuid programs don't gain any privilege, so allow chroot.
>> >
>> > Is this needed/desired by anyone now, or are you just using it to "demo"
>> > NO_NEW_PRIVS?  I don't see it as very useful on its own, since in any
>> > "container"-type chroot you really want /proc and /dev, and your patch
>> > doesn't help with that.
>>
>> It's a demo, but it could still be useful for container-ish things.
>> If something privileged sets up /proc, /sys, and /dev, then
>> unprivileged code can chroot into the container.  This would allow
>> much simpler implementations of tools like schroot.
>
> What's the win if you still need a setuid binary?  schroot (and my
> linux-user chroot binary) can just as easily call chroot as they can
> create bind mounts; I'm not buying a code complexity argument.

You don't need a setuid binary. Just have an initscript set up the bind mounts.

--Andy
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/