Re: Non-root chroot

Jason Bacon <bacon4000@gmail.com> wrote:

> On 8/5/25 22:59, Jamie Landeg-Jones wrote:

> > But just as it is if you're not using a chroot, your non-root user cannot
> > create suid-root binaries, and when you're setting things up, you'd simply not
> > use root to copy a suid-root 'su' (or anything else) into your chroot tree.
>
> Not quite true:
>
> FreeBSD moray.acadix  bacon ~ 1018: sysctl vfs.usermount
> vfs.usermount: 1
> FreeBSD moray.acadix  bacon ~ 1019: whoami
> bacon
> FreeBSD moray.acadix  bacon ~ 1020: mount -t nullfs /usr/bin 
> /home/bacon/new-root/usr/bin/
> FreeBSD moray.acadix  bacon ~ 1021: ls -l new-root/usr/bin/su
> -r-sr-xr-x  1 root wheel   17K Jul 28 17:11 new-root/usr/bin/su*
>
> Granted, usermount should generally not be set on a shared system, but 
> it could happen.

But usermounts are mounted nosuid.

> Or, as I mentioned in a prior response, there's always the possibility 
> of duping a root user into installing an suid binary.  Not all of them 
> are highly qualified, and everyone gets tired or rushed sometimes.

Yeah, possible, especially if they are recursively copying a system
tree (/bin /usr/bin etc.) to the chroot, but the point I was replying
to said "Important point is that the user is not obliged to hand in any
particular "su" program. The user may hand in any "su"-like code suitable
for escaping the chroot.", so that's not very likely, though I concede
that this is an attack vector greater than not allowing user-chroot.

Would forcing all user-chrooted trees to be no-suid-root solve this,
do you think?

Cheers, Jamie