From mboxrd@z Thu Jan 1 00:00:00 1970 From: Al Viro Subject: Re: [RFC][PATCH 0/3] vfs: Detach mounts on unlink. Date: Sun, 6 Oct 2013 00:19:15 +0100 Message-ID: <20131005231915.GW13318@ZenIV.linux.org.uk> References: <87li281wx6.fsf_-_@xmission.com> <1381014462.1974.162@driftwood> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Cc: "Eric W. Biederman" , Miklos Szeredi , "Serge E. Hallyn" , Linux-Fsdevel , Kernel Mailing List , Andy Lutomirski , Linus Torvalds To: Rob Landley Return-path: Content-Disposition: inline In-Reply-To: <1381014462.1974.162@driftwood> Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Sat, Oct 05, 2013 at 06:07:42PM -0500, Rob Landley wrote: > A todo item I've had _forever_ is fixing chroot() to not be broken > so that you can trivially break out of a chroot via: > > chdir("/"); > mkdir("sub"); > chroot("sub"); > chdir("./../../../../../../../.."); > > (Because chroot() affects where "/" points but NOT where "." points > to, and chdir does an == check with the dentry "/" points at to know > when to stop, so if you move "/" under "." you can back up to the > actual root of the tree.) > > The above is why lxc uses pivot_root() instead of chroot(). > > These days, we have multiple mount trees so there's no reason > chroot() can't trim the process local mount tree (creating a new > bind mount if necessary). Except my todo list runneth over and I > haven't had a chance to dig in and see what would be involved. (Last > time I brought this up people were wondering why chroot() didn't > just move "." to the new "/" if it wasn't under it. I had no idea, > still don't.) 1) RTFUNIXFAQ. chroot() never has been root-proof. 2) your "fix" isn't - it will lead to mounts done by chrooted process not affecting other processes in the same namespace.