From: David Newall <david@davidnewall.com>
To: Linux Kernel Mailing List <linux-kernel@vger.kernel.org>
Subject: Chroot bug take 3
Date: Sun, 30 Sep 2007 00:51:51 +0930 [thread overview]
Message-ID: <46FE6D8F.70808@davidnewall.com> (raw)
/.
I hope I haven't crossed the line between determined and annoying. I
thought we were done, but now I find meat still on this bone.
Posit a normal process having some filesystem root, and a current
working directory (pwd) lying within that root subtree. When chroot is
performed, pwd is left unchanged. This means it can (and often will)
lie outside of the new root.
How much of the filesystem lying outside of root should a process be
allowed to access? Currently it is the complete filesystem.
It is perfectly reasonable for a process to execute chroot multiple
times, each time pruning off access to further parts of the filesystem.
What is *not reasonable* is chroot unavoidably returning access which
previously had been dropped. Similarly, performing fchdir on a
directory opened prior to chroot should not grant access to more of the
filesystem than was accessible when the directory was opened.
Although chroot can result in pwd lying outside of the new root, is must
still lie within some root. A new quantity, openfdroot, will be
recorded by chroot, to be used as the limit when walking dotdot outside
of the current root.
The initial value for openfdroot is the complete filesystem. After
completing each chroot, as well as chdir, fchdir and close, openfdroot
will be set to root iff all open directories and pwd lie within that
root; otherwise it remains unchanged.
In an ideal world a separate openfdroot would be recorded for each open
directory, and another for pwd, however this is extreme. A single value
permits chroot to perform its fundamental promise, namely to prune the root
The following might replace the last two paragraphs in chroot(2)'s
description:
This call does not change the current working directory. After the
call, '.' can be outside of path, thus files, accessible to the
process before the call, remain accessible (via relative pathnames)
afterwards. This access is intrinsicly dropped by changing
directory to within the new root.
This call does not close open file descriptors, and such descriptors
may allow access to files outside the chroot tree. A successful
open(2) on a directory outside of path yields a descriptor that can
subsequently be passed to fchdir(2) to escape the new root. This
will only provide access to as much of the filesystem as was
accessable when the directory was opened. Closing all such files
(and changing directory to within path) drops this access.
Would there be any point in working up a patch?
reply other threads:[~2007-09-29 15:22 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=46FE6D8F.70808@davidnewall.com \
--to=david@davidnewall.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox