chroot() as non-root user?

Ruslan Ermilov ru at freebsd.org
Sun Apr 13 08:42:37 PDT 2003 

On Sun, Apr 13, 2003 at 10:20:35AM -0500, Mark Shepard wrote:
> 
> I suspect this has been asked before but I'll ask anyway.
> 
> Q1: Is it possible for a non-root process to perform a chroot?
> 
> My interest is this:  I have a typical ISP hosting account (verio; on a 
> FreeBSD 4.4 server.)  I'd like to install and run various CGI packages, yet 
> protect myself (and my email, and my .ssh keys) from bugs being exploited 
> in those CGI packages.  Chroot at the start of each CGI would do the trick, 
> but requires root.  I suspect the answer here is "only root can do this"... 
> which leads me to ask, in general:
> 
Yes.

> Q2:  Why is chroot() only available to root?  I'm aware of *one* security 
> issue:  if a non-root user can perform chroot(), they can alter the 
> name-space "seen" by setuid programs, and potentially compromise them 
> (assuming a user-writable directory [like /tmp] on the same partition as a 
> setuid program.)  Are there any other reasons?  (Besides the issues with 
> fchdir() which I assume are adequately fixed).  Assuming there aren't any 
> other issues leads to my last Q... Actually, a proposal:
> 
You could then staff ${CHROOTDIR}/etc with arbitrary password databases
that would allow you to su(1) there and do anything as root, e.g.,
ifconfig(8).

> Q3:  Why not allow non-root users to chroot() _as long as the target dir. 
> is on a partition mounted nosuid_?  Seems like this would be a simple 
> mechanism (both to understand and to implement) and would allow regular 
> users to take advantage of chroot to improve the security of scripts, CGIs, 
> etc.
> 
chroot(2) has no effect on the process's current directory; you
could hide (hard-link) the setuid program (su(1)) there, so
removing this protection on the syscall level can easily result
in a compromise.

chroot(8) changes the current working directory, but it's not
setuid root.


Cheers,
-- 
Ruslan Ermilov		Sysadmin and DBA,
ru at sunbay.com		Sunbay Software AG,
ru at FreeBSD.org		FreeBSD committer,
+380.652.512.251	Simferopol, Ukraine

http://www.FreeBSD.org	The Power To Serve
http://www.oracle.com	Enabling The Information Age
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
Url : http://lists.freebsd.org/pipermail/freebsd-security/attachments/20030413/9794ef34/attachment.bin

More information about the freebsd-security mailing list