Is it possible to exit the chroot(2) environment?
Yuri
yuri at rawbw.com
Sat Oct 17 00:01:52 UTC 2020
On 9/27/20 1:25 PM, Kyle Evans wrote:
> +1. I think an additional sentence pointing out that that's the
> traditional behavior would outline that this is perhaps what's needed,
> maybe with a specific EPERM reference.
>
> It's tempting to also propose switching it to the even-more-strict 0
> at some point, perhaps considering a procctl(2) if we really find some
> scenarios where it's absolutely necessary... we'll leave that battle
> to a different day, though.
I have several questions though:
1) What does this check really guard against?
kern.chroot_allow_open_directories=0 prevents chroot(2) when there are
open directories, and kern.chroot_allow_open_directories=1 prevents exit
from chrooted environment when there were open directories. But what is
the benefit? The process opened some directories and holds open file
handles. How can this interfere with choot? What could go wrong that is
prevented by this check?
2) Why is there no similar check for open files? Why directories are
special?
Thank you,
Yuri
More information about the freebsd-hackers
mailing list