The chroot(2) man page describes a sysctl called
'kern.chroot_allow_open_directories' which controls whether a process
can chroot() and is already subject to the chroot() syscall.
It seems that this sysctl can be trivially changed from within a
chroot'd process (ie: if that process has superuser privileges).
That's what securelevels are for.
DES
--
Dag-Erling Smørgrav - des@xxxxxx
_______________________________________________
freebsd-security@xxxxxxxxxxx mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribe@xxxxxxxxxxx"
kern.chroot_allow_open_directories ... The chrootman page describes a sysctl called ... can chroot() and is already subject to the chrootsyscall.... Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org ... (FreeBSD-Security)
Re: kern.chroot_allow_open_directories ... can chroot() and is already subject to the chrootsyscall.... Is this sysctl meant to prevent breaking out of a chroot? ... If the sysctl was set to 0 at the moment chrootwas called, then the chrootwould have failed if the calling process had open directories. ... (FreeBSD-Security)
Re: Chroot Jail Not Secure for Sandboxing Python? ... >> but does NOT provide chroot for the child process. ... > like a traditional chroot environment,... > Some solutions depend on linking to restricted libraries,... > programs importing some nice modules and getting round the controls:... (comp.lang.python)
Re: kern.chroot_allow_open_directories ... If the sysctl was set to 0 at the moment chroot() was called, ... chrootwould have failed if the calling process had open directories... and whether it makes sense to chroot superuser processes on FreeBSD.... (FreeBSD-Security)
Re: Chroot Jail Not Secure for Sandboxing Python? ... The os.exec call prepends the chroot directory to the absolute path, ... like a traditional chroot environment,... Some solutions depend on linking to restricted libraries,... programs importing some nice modules and getting round the controls:... (comp.lang.python)
