[src/trunk]: src/lib/libc/sys Document new chroot-related restrictions on fch...

[sommerfe <sommerfe%NetBSD.org@localhost>]

details:   https://anonhg.NetBSD.org/src/rev/958f27cadc7b
branches:  trunk
changeset: 467652:958f27cadc7b
user:      sommerfe <sommerfe%NetBSD.org@localhost>
date:      Fri Mar 26 23:37:27 1999 +0000

description:
Document new chroot-related restrictions on fchdir, chroot, and ptrace
made possible by the kernel getcwd infrastructure

diffstat:

 lib/libc/sys/chdir.2  |   8 +++++++-
 lib/libc/sys/chroot.2 |  11 +++++++++--
 lib/libc/sys/ptrace.2 |  10 +++++++++-
 3 files changed, 25 insertions(+), 4 deletions(-)

diffs (79 lines):

diff -r 6a0cb9699540 -r 958f27cadc7b lib/libc/sys/chdir.2
--- a/lib/libc/sys/chdir.2      Fri Mar 26 23:36:02 1999 +0000
+++ b/lib/libc/sys/chdir.2      Fri Mar 26 23:37:27 1999 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: chdir.2,v 1.11 1999/03/22 19:45:01 garbled Exp $
+.\"    $NetBSD: chdir.2,v 1.12 1999/03/26 23:37:27 sommerfe Exp $
 .\"
 .\" Copyright (c) 1980, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -117,6 +117,11 @@
 The argument
 .Fa fd
 is not a valid file descriptor.
+.It Bq Er EPERM
+The argument
+.Fa fd
+references a directory which is not at or below the current process's
+root directory.
 .El
 .Sh SEE ALSO
 .Xr chroot 2
@@ -131,3 +136,4 @@
 function call
 appeared in
 .Bx 4.2 .
+
diff -r 6a0cb9699540 -r 958f27cadc7b lib/libc/sys/chroot.2
--- a/lib/libc/sys/chroot.2     Fri Mar 26 23:36:02 1999 +0000
+++ b/lib/libc/sys/chroot.2     Fri Mar 26 23:37:27 1999 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: chroot.2,v 1.10 1999/03/22 19:45:01 garbled Exp $
+.\"    $NetBSD: chroot.2,v 1.11 1999/03/26 23:37:27 sommerfe Exp $
 .\"
 .\" Copyright (c) 1983, 1991, 1993
 .\"    The Regents of the University of California.  All rights reserved.
@@ -57,7 +57,9 @@
 In order for a directory to become the root directory
 a process must have execute (search) access for that directory.
 .Pp
-It should be noted that
+If the current working directory is not at or under the new root
+directory, it is silently set to the new root directory.
+It should be noted that, on most other systems,
 .Fn chroot
 has no effect on the process's current directory.
 .Pp
@@ -98,3 +100,8 @@
 .Fn chroot
 function call appeared in
 .Bx 4.2 .
+Working directory handling was changed in 
+.Nx 1.4
+to prevent one way a process could use a second 
+.Fn chroot
+call to a different directory to "escape" from the restricted subtree.
diff -r 6a0cb9699540 -r 958f27cadc7b lib/libc/sys/ptrace.2
--- a/lib/libc/sys/ptrace.2     Fri Mar 26 23:36:02 1999 +0000
+++ b/lib/libc/sys/ptrace.2     Fri Mar 26 23:37:27 1999 +0000
@@ -1,4 +1,4 @@
-.\"    $NetBSD: ptrace.2,v 1.7 1999/03/22 19:45:07 garbled Exp $
+.\"    $NetBSD: ptrace.2,v 1.8 1999/03/26 23:37:27 sommerfe Exp $
 .\"
 .\" This file is in the public domain.
 .Dd November 7, 1994
@@ -158,6 +158,14 @@
 process is running as root, these restrictions do not apply.)  The
 tracing process will see the newly-traced process stop and may then
 control it as if it had been traced all along.
+.Pp
+Two other restrictions apply to all tracing processes, even those
+running as root.  First, no process may trace the process running
+.Xr init 8 .
+Second, if a process has its root directory set with
+.Xr chroot 2 ,
+it may not trace another process unless that process's root directory
+is at or below the tracing process's root.
 .It Dv PT_DETACH
 This request is like PT_CONTINUE, except that it does not allow
 specifying an alternative place to continue execution, and after it