Is it possible to exit the chroot(2) environment?
Kyle Evans
kevans at freebsd.org
Sun Sep 27 20:25:48 UTC 2020
On Sun, Sep 27, 2020 at 3:15 PM Warner Losh <imp at bsdimp.com> wrote:
>
>
>
> On Sun, Sep 27, 2020, 2:09 PM Kyle Evans <kevans at freebsd.org> wrote:
>>
>> On Sun, Sep 27, 2020 at 3:04 PM Yuri <yuri at rawbw.com> wrote:
>> >
>> > On 2020-09-27 12:56, Kyle Evans wrote:
>> > > kern.chroot_allow_open_directories to some value that isn't 0 or 1.
>> >
>> >
>> > It succeeds with kern.chroot_allow_open_directories=2.
>> >
>> >
>>
>> Ok, so Warner's proposal was correct and we've verified the semantics
>> work out the same, this is simply a behavioral difference in that
>> we're a little more strict -- presumably to make it less trivial to
>> break out of a chroot.
>>
>> I suspect a default change for the sysctl/behavior is unlikely, your
>> best bet to move forward is probably to work out if they really need
>> to have dangling directories open and correct that if at all possible.
>
>
> To be fair, we are more strict than Linux... but it is documented. Though if there were some way to highlight that better, I'd be open to working that in. Maybe a sentence on 'any other value' paragraph talking about traditional behavior...
>
+1. I think an additional sentence pointing out that that's the
traditional behavior would outline that this is perhaps what's needed,
maybe with a specific EPERM reference.
It's tempting to also propose switching it to the even-more-strict 0
at some point, perhaps considering a procctl(2) if we really find some
scenarios where it's absolutely necessary... we'll leave that battle
to a different day, though.
More information about the freebsd-hackers
mailing list