Re: Non-root chroot

Reply: Daniel O'Connor : "Re: Non-root chroot"
In reply to: Daniel O'Connor : "Re: Non-root chroot"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Jason Bacon <bacon4000_at_gmail.com>
Date: Mon, 04 Aug 2025 13:26:36 UTC

On 8/3/25 23:41, Daniel O'Connor wrote:
> 
> 
>> On 3 Aug 2025, at 18:39, Dmitry Mikushin <dmitry@kernelgen.org> wrote:
>> Important point is that the user is not obliged to hand in any particular "su" program. The user may hand in any "su"-like code suitable for escaping the chroot.
> 
> You can’t create a setuid binary owned by root without being root so it doesn’t matter.
> 
> --
> Daniel O'Connor
> "The nice thing about standards is that there
> are so many of them to choose from."
> -- Andrew Tanenbaum
> 

It may be possible to nullfs mount something into the chroot dir, or 
dupe the superuser into copying a root-owned file in.  The listing below 
was run in a user-level chroot, where I copied /usr/bin/su in as root 
from the host:

$ ls -l
total 52
drwxr-xr-x   2 bacon bacon  1024 Aug  4 08:09 bin
drwxr-xr-x   2 bacon bacon   512 Aug  3 06:27 dev
drwxr-xr-x  33 bacon wheel  2560 Jul 28 17:16 etc
drwxr-xr-x   3 bacon wheel   512 Jan 22  2025 home
drwxr-xr-x   4 bacon wheel  2048 Jul 28 17:11 lib
drwxr-xr-x   3 bacon wheel   512 Jul 28 17:11 libexec
drwxr-xr-x   2 bacon wheel  3072 Jul 28 17:11 sbin
-r-sr-xr-x   1 root  wheel 17760 Jul 28 17:11 su
drwxr-xr-x   7 bacon wheel   512 Jan 22  2025 usr

I wonder if it's feasible to force ownership of all files within a 
chroot/jail to the user who launched it, at least from the perspective 
of processes in the chroot.  This would do a lot to block attacks.

My point, though, was just that the suid binaries in the base should 
guard against fake files by checking ownership and write permissions. 
That doesn't prevent other suid binaries from ports or caveman installs 
from leaking in, but it's a big improvement.

An important point this raises is that we cannot assume every root user 
is highly qualified.  In academic research, the "superuser" is often the 
scientists in the lab who foolishly leaked the fact that [s]he knows 
something about Unix, and implicitly inherited a second job as a result. 
  We can reasonably argue that it's not our job to protect people from 
themselves, but wherever we can do so easily, it will save us some 
annoying conversations down the road.

-- 
Life is a game.  Play hard.  Play fair.  Have fun.