Page MenuHomeFreeBSD

Unprivileged chroot

Authored by trasz on May 5 2021, 7:18 PM.



This is a RFC for unprivileged chroot(8). All feedback is welcome.

This builds on recently introduced NO_NEW_PRIVS flag to implement unprivileged chroot, enabled by security.bsd.unprivileged_chroot. It allows non-root processes to chroot(2), provided they have the
NO_NEW_PRIVS flag set.

The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS
before chrooting.

Diff Detail

rG FreeBSD src repository
Lint Not Applicable
Tests Not Applicable

Event Timeline

trasz requested review of this revision.May 5 2021, 7:18 PM
jhb added inline comments.
655 ↗(On Diff #88696)

This is now redundant as the helper function frees the cred?


Rebase, improve the consistency of procctl(2) API, and add Linux bits.

trasz marked 2 inline comments as done.Jun 7 2021, 4:48 PM
trasz added reviewers: secteam, jhb, phk.

I'm fine with the two new features proposed individually.

But their linkage has me worried, it is both very blunt, and opaque.

We cannot allow random users to chroot into a tree of their own construction full of captive setuid files.

But how did they get the setuid files in there to begin with, without loosing the setuid bits ?

As far as I can tell, the only way to do that, is to have a writable directory on the same filesystem as the setuid file you want to capture, in which case you can hard-link to it.

It sounds to me like the correct protection is to disallow hardlinking to setuid files, unless you are root or own then ?

And thinking more about it: Why is that even allowed to begin with ?!

I think this needs to be run past the secteam and possibly arch ?

For the purpose of making it easier to review, and eventually commit, parts have been spun off into and I'll follow up with Linuxulator and chroot bits afterwards.

Regen, improve man page description.

trasz retitled this revision from PROC_NO_NEW_PRIVS and `chroot -n` to Unprivileged chroot.Jul 7 2021, 10:09 AM
trasz edited the summary of this revision. (Show Details)

There is no prctl

This revision is now accepted and ready to land.Jul 13 2021, 10:10 AM
This revision was automatically updated to reflect the committed changes.