Subject: Re: chroot(2)
To: None <tech-kern@netbsd.org>
From: Warner Losh <imp@village.org>
List: tech-kern
Date: 10/06/1998 01:02:02
In message <199810060354.XAA15849@Twig.Rodents.Montreal.QC.CA> der
Mouse writes:
: chroot is not a jail.  It can be part of a jail.  It can also be used
: for other, completely different, purposes, many of which would be
: broken by having it magically do a bunch of things to turn it into a
: jail.

The whole point of chroot is to make it possible to have a sandbox
that can do whatever it wants w/o impacting the running of a system,
within some well known limits.  Loading an LKM impacts the entire
system, by definition.

: This is not to say that the missing pieces of a jail shouldn't be
: added.  Just that they shouldn't be confused with chroot(2).  The
: reason I've been talking about having chroot(2) ever do anything
: magical for anyone is to keep non-root processes that are in jails
: from (ab)using chroot(2) to break out of the chroot portion of the
: jail.  Ideally, there would be two ways to chroot, a jail way and a
: non-jail way.  tar, which IIRC is what started this discussion, would
: want to do a non-jail chroot; other things would want to do a jail
: chroot.  I haven't thought much about how this interacts with non-root
: processes....

There needs to be some way to make chroot safe for the KIDZ w/o
impacting the system.  If this is done with additional system calls
(eg don't let this process, or any of its children, use root as ROOT),
then that is fine too.

Warner