Re: Proposal: Enabling unprivileged chroot by default

In reply to: Ed Maste : "Proposal: Enabling unprivileged chroot by default"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Bjoern A. Zeeb <bzeeb-lists_at_lists.zabbadoz.net>
Date: Tue, 05 Aug 2025 20:50:56 UTC

On Tue, 5 Aug 2025, Ed Maste wrote:

> **Request for Feedback**
> If you have concerns, objections, or additional insight into the
> security or operational impact of this change, please reply to this
> thread or comment directly on the Phabricator review.

Given chroot(8) was changed I presume this is for some manual action
of a user and not a user space user daemon process wanted to restrict
itself (which would be a fun thing for a lot of people to learn to get
some things right ;-)

I can see a few use cases which this may be good for (simply being able
to run various automation as user) but first thing I'd likely need inside
the chroot would be [a restricted] devfs which would require usermount
as well I suppose and that's just going to be a non-starter.

> Timing on the commit is an open question; it could be done soon (so
> that the change will be available in FreeBSD 15.0) or after stable/15
> branches (making it available in FreeBSD 16.0).

I am happy the man page change went in;  unless there is a clarification
of a 'why?' this was done in first place (the commit message and your
proposal both don't tell), I'd be relucatant to change the default at all
and might even go further asking: do we need it all?

/bz

-- 
Bjoern A. Zeeb                                                     r15:7