Date: Sun, 15 Nov 1998 07:32:01 -0800 (PST) From: Marc Slemko <marcs@znep.com> To: zhihuizhang <bf20761@binghamton.edu> Cc: hackers <freebsd-hackers@FreeBSD.ORG> Subject: Re: Question on chroot() Message-ID: <Pine.BSF.4.05.9811150730230.12077-100000@alive.znep.com> In-Reply-To: <Pine.SOL.L3.93.981115102202.5823A-100000@bingsun2>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sun, 15 Nov 1998, zhihuizhang wrote: > > I am quite confused with the usage of chroot(). It is said that chroot() > can only be performed by superuser and the chroot()'ed environment is > valid only for superuser that calls chroot() and its descendent (I assume > that a descendent inherits its parent's UID). > > However, a root can escape the environment withoud much difficulty. I > even find on the Web a page telling you how to break the chroot jail by > root. > > With these in mind, I can not figure out why the chroot() is really useful > to set up a ristricted access to a system and how a NORMAL user can be > setup to access only the chroot()'ed environment. I'm not sure if this is really freebsd-hackers material, but... Nothing stops root from switching to whatever other UID they want. So all you have to do is chroot(), then setuid() to some user before running whatever you want to run. It is also useful to provide isolated environments for cases where security isn't an issue, eg. build trees for things that do things relative to "/", etc. To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.05.9811150730230.12077-100000>