Re: Proposal: Enabling unprivileged chroot by default

On Tue, 5 Aug 2025 at 11:28, Isaac (.ike) Levy <ike@blackskyresearch.net> wrote:
>
>
> > On Aug 5, 2025, at 11:57 PM, Ed Maste <emaste@freebsd.org> wrote:
> >
> > I would like to change the default value of the
> > security.bsd.unprivileged_chroot sysctl from 0 (disabled) to 1
> > (enabled). This will allow unprivileged users to invoke chroot(2)
> > under constrained and secure conditions. See the recent "Non-root
> > chroot" thread on freebsd-hackers@ for some more context.
>
> Thanks for this post and the work here Ed,

To be clear, most of the development work here is not mine. I cleaned
up a few loose ends (e.g. the missing man page updates) and am working
on this proposed default change, but the core functionality was done
by trasz@.

> Concerns:
> some of the worst security compromises I've had to unwind in the last 25 years have had something to do with setuid or chroot directly.

There are clear issues with setuid/setgid binaries and unprivileged
chroot, so we sidestep the issue by just not permitting them with
unprivileged chroot.

I don't particularly like that hardening dialog in bsdinstall, for a
few reasons. Setting those options does not necessarily improve
security, it adds additional steps and questions for a user to
consider during installation, and the appropriate answer may not be
clear or obvious at that point. If we're not convinced that it's safe
to change the default, then I'd rather leave it unchanged instead of
adding an option in the installer menu to disable it.