Page MenuHomeFreeBSD

Unprivileged chroot
ClosedPublic

Authored by trasz on May 5 2021, 7:18 PM.

Details

Summary

This is a RFC for unprivileged chroot(8). All feedback is welcome.

This builds on recently introduced NO_NEW_PRIVS flag to implement unprivileged chroot, enabled by security.bsd.unprivileged_chroot. It allows non-root processes to chroot(2), provided they have the
NO_NEW_PRIVS flag set.

The chroot(8) utility gets a new flag, -n, which sets NO_NEW_PRIVS
before chrooting.

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Not Applicable
Unit
Tests Not Applicable

Event Timeline

trasz requested review of this revision.May 5 2021, 7:18 PM
jhb added inline comments.
sys/kern/kern_exec.c
655 ↗(On Diff #88696)

This is now redundant as the helper function frees the cred?

sys/kern/vfs_syscalls.c
961

Rebase, improve the consistency of procctl(2) API, and add Linux bits.

trasz marked 2 inline comments as done.Jun 7 2021, 4:48 PM
trasz added reviewers: secteam, jhb, phk.

I'm fine with the two new features proposed individually.

But their linkage has me worried, it is both very blunt, and opaque.

We cannot allow random users to chroot into a tree of their own construction full of captive setuid files.

But how did they get the setuid files in there to begin with, without loosing the setuid bits ?

As far as I can tell, the only way to do that, is to have a writable directory on the same filesystem as the setuid file you want to capture, in which case you can hard-link to it.

It sounds to me like the correct protection is to disallow hardlinking to setuid files, unless you are root or own then ?

And thinking more about it: Why is that even allowed to begin with ?!

I think this needs to be run past the secteam and possibly arch ?

For the purpose of making it easier to review, and eventually commit, parts have been spun off into https://reviews.freebsd.org/D30939 and https://reviews.freebsd.org/D30940. I'll follow up with Linuxulator and chroot bits afterwards.

Regen, improve man page description.

trasz retitled this revision from PROC_NO_NEW_PRIVS and `chroot -n` to Unprivileged chroot.Jul 7 2021, 10:09 AM
trasz edited the summary of this revision. (Show Details)
usr.sbin/chroot/chroot.8
68

There is no prctl

This revision is now accepted and ready to land.Jul 13 2021, 10:10 AM
This revision was automatically updated to reflect the committed changes.