From mboxrd@z Thu Jan 1 00:00:00 1970 From: Majkls Subject: Re: hardened chroot() Date: Wed, 30 Aug 2006 20:11:29 +0200 Message-ID: <44F5D4D1.3070404@tiscali.cz> References: <44F5CF1F.1080304@tiscali.cz> <44F5D037.2000606@cs.columbia.edu> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-2 Content-Transfer-Encoding: 7bit Return-path: Received: from ip-85-207-10-210.pamico.cz ([85.207.10.210]:45065 "EHLO prenet.prepere.com") by vger.kernel.org with ESMTP id S1750825AbWH3SLj (ORCPT ); Wed, 30 Aug 2006 14:11:39 -0400 Received: from localhost (localhost [127.0.0.1]) by prenet.prepere.com (Postfix) with ESMTP id 0B4964ADC5 for ; Wed, 30 Aug 2006 20:11:44 +0200 (CEST) Received: from prenet.prepere.com ([127.0.0.1]) by localhost (prenet [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 10675-02 for ; Wed, 30 Aug 2006 20:11:41 +0200 (CEST) Received: from [192.168.1.20] (majkls.comps.local [192.168.1.20]) by prenet.prepere.com (Postfix) with ESMTP id E6D104ADAE for ; Wed, 30 Aug 2006 20:11:39 +0200 (CEST) To: linux-fsdevel@vger.kernel.org In-Reply-To: <44F5D037.2000606@cs.columbia.edu> Sender: linux-fsdevel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Shaya Potter wrote: >> Majkls wrote: >> > >>>> Hello, >>>> is there possibility to add hardened chroot() to linux kernel? I have >>>> some patch and I would like submit it into linux-kernel. Now can be >>>> chroot workarounded. What do you think about it? > >> >> >> I wrote one a few years ago, but there seemed to be no interest in it. >> >> My conception was based on that observation that a chroot "point" really >> only deals with path walking and basically says that at this point ".." >> is the same as ".". Therefore, all we need are a linked list of "chroot >> points" and just like the current follow_dotdot() function tests if the >> current directory is the "root", one can just have it loop through the >> entire list of chroot points. yes i have special function which check if is it in root. It is also necessary fix sys_fchdir. >> >> The idea was to enable root processes to run within a chroot >> environment, and even call chroot(). >> >> In Linux today, it might be better solved via setting up an alternative >> namespace. yes, but it is not so simple. simplier is one patch for chroot. Why don't do it right, if it is not problem. >> >> - >> To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >> -- Miloslav "Majkls" Semler