[Bug 121073] [kernel] [patch] run chroot as an unprivileged user
bugzilla-noreply at freebsd.org
bugzilla-noreply at freebsd.org
Mon May 21 03:51:35 UTC 2018
https://bugs.freebsd.org/bugzilla/show_bug.cgi?id=121073
Julian Elischer <julian at FreeBSD.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |julian at FreeBSD.org
--- Comment #12 from Julian Elischer <julian at FreeBSD.org> ---
If the ability to do this operation (unpriv chroot) is inherited, and the
ability to set that bit is only settable by root then a process can only do
this if a root ancestor has said that security is being lowered by this family
of processes. I would even go as far as saying secure level would disable it
along with a "no return" policy. (by which I mean once it is set in a process
and then used you cannot get that ability back ... full stop.)
This would allow the use of the functionality for "build machine" type
situations where in reality it is root or trusted proxy doing the chroot. In
addition it should be a one-shot.. you use it , you lose it.
With the advent of "everyone has there own computer" I am not sure how
important it is to have "real users" be able to do builds.
--
You are receiving this mail because:
You are the assignee for the bug.
More information about the freebsd-bugs
mailing list