Re: Proposal: Enabling unprivileged chroot by default

Reply: Jason Bacon : "Re: Proposal: Enabling unprivileged chroot by default"
In reply to: Jordan Gordeev : "Re: Proposal: Enabling unprivileged chroot by default"
Go to: [ bottom of page ] [ top of archives ] [ this month ]

From: Darren Henderson <darren.henderson_at_gmail.com>
Date: Wed, 06 Aug 2025 14:55:31 UTC

On 8/5/2025 3:59 PM, Jordan Gordeev wrote:
> On Tuesday, 5 August 2025 at 17:58, Ed Maste <emaste@freebsd.org> wrote:
>
>> I would like to change the default value of the
>> security.bsd.unprivileged_chroot sysctl from 0 (disabled) to 1
>> (enabled).
> If a system manager wants to allow unprivileged users to use chroot(8), they can easily allow that by setting the sysctl to 1 on their system. Taking that into account, what problem will changing the default solve?
>
> Do the majority of FreeBSD users simultaneously:
>    1) have a desire to use chroot(8) as an unprivileged user
>    2) have no clue how to change a sysctl?

I would take it further than this - is there even a significant minority 
of users who need or want this?

It seems like something that should be a conscious and deliberate change 
to the system for which an exceeding simple change by the sysadmin is a 
reasonable and practical solution.

A niche need that increases the potential attack surfaces isn't 
something that should be made the norm. Leave it disabled.