Re: can chroot be made safe for non-root?

[Shaya Potter <spotter@cs.columbia.edu>]

On Fri, 2002-10-18 at 16:14, David Wagner wrote:
> Pavel Machek  wrote:
> >> I am eager to be able to sandbox my processes on a system without the
> >> help of suid-root programs (as I prefer to have none of these on my
> >> system).
> >
> >You can do that using ptrace. subterfugue.sf.net.
> 
> ptrace() is ok, but it also has lots of disadvantages: performance,
> expressiveness, security, assurance.  I've posted before on this mailing
> list, at length, about them.  In short, ptrace() is not an ideal solution,
> and a secure chroot() or other way to construct a jail/sandbox would
> be better.  (LSM will be much better.)

the problem with chroot() is that they dont nest.  If you get an fd
outside the chroot, you effectively broke the chroot.  Therefore, if
someone can get root inside the chroot, all they have to do is open an
fd, chroot somewhere else, then fchdir to that fd.

If however, one could provide even a single level of nesting, such that
a chroot outside of a chroot sets the first level, and any other chroot
after that sets the inner level, then even root wouldn't be able to
break out of the chroot (presuming it didn't bring any fd's into the
chroot w/ it).  

It might be nice to provide even more levels than this, but not sure if
one gain much by doing that and the add complexity might make it not
worthwhile.  Then again, even 2 levels might be too complex.  I've
actually thought a little of this in regards to some research I'm doing,
but haven't had a chance yet to persue, and see what would need to be
effected.  It would seem to come into play mostly on the path walking
algorithms, but that's from a very very cursory reading of the stuff. 
anyone else have any ideas on this? Or am I crazy :)

thanks,

shaya