On 2015-04-14 08:28, David Sterba wrote:
> On Tue, Apr 14, 2015 at 01:44:32PM +0300, Lauri Vősandi wrote:
>> This patch forces btrfs receive to issue chroot before
>> parsing the btrfs stream to confine the process and
>> minimize damage that could be done via malicious
>> btrfs stream.
>
> Thanks.
>
> As we've discussed, there are possibly some things to resolve:
>
> * chdir("/") after chroot
> * commandline options to enable/disable chroot, choose the default
>
> Receive should work for a non-root user so chroot should be conditional,
> but I'm not sure if this should be guessed from the UID or if this would
> be better to specify only by the commandline options.
>
> I'll put the patch into a separate branch for now.

Personally, I would expect it to default to not using chroot(), provide 
a commandline option to tell it to do so, and then just catch the error 
from trying to chroot as a non-root user.