Re: Proposal: Enabling unprivileged chroot by default

On 05.08.25 16:57, Ed Maste wrote:
> I would like to change the default value of the
> security.bsd.unprivileged_chroot sysctl from 0 (disabled) to 1
> (enabled). This will allow unprivileged users to invoke chroot(2)
> under constrained and secure conditions. See the recent "Non-root
> chroot" thread on freebsd-hackers@ for some more context.
>
> **Background**
> Support for unprivileged chroot(2) was introduced before FreeBSD 14.0
> (and MFC'd for FreeBSD 13.1) via commit a40cf4175c90 ("Implement
> unprivileged chroot"), but disabled by default. This commit added:
>
> - a sysctl security.bsd.unprivileged_chroot that must be set to 1
> - a check in chroot(2) that the NO_NEW_PRIVS procctl is set when
> called in an unprivileged context
> - a new chroot(8) flag -n to set the NO_NEW_PRIVS procctl
>
> NO_NEW_PRIVS causes the kernel to ignore set-user-ID and set-group-ID
> bits, preventing the well-known confused deputy issues affecting
> chroot(2).
>
> The original commit did not include a man page update. I've now added
> a description of unprivileged use in commit 95f8c3e1ed0c, and a more
> explicit error message from chroot(8) if -n is missing, in commit
> e6c623e9bad5.
>
> **Proposed Change**
> A patch to change the default sysctl value to 1 is under review here:
> https://reviews.freebsd.org/D51702. A regression test still needs to
> be added before this would be committed.
>
> **Request for Feedback**
> If you have concerns, objections, or additional insight into the
> security or operational impact of this change, please reply to this
> thread or comment directly on the Phabricator review.
>
> Timing on the commit is an open question; it could be done soon (so
> that the change will be available in FreeBSD 15.0) or after stable/15
> branches (making it available in FreeBSD 16.0).
>
I would like to see it go into FreeBSD 15.0 as enabled by default so this

feature would be part of the default configuration and

not just an effectively unsupported configuration.