tech-security: Re: replace chroot() with a chroot overlay file system?

Subject: Re: replace chroot() with a chroot overlay file system?
To: None <tech-security@NetBSD.org>
From: Matthias Scheler <tron@zhadum.de>
List: tech-security
Date: 11/04/2005 13:34:01

In article <20051102004959.D95A13BFCE0@berkshire.machshav.com>,
	"Steven M. Bellovin" <smb@cs.columbia.edu> writes:
> What if we replaced the chroot() system call by an overlay file
> system, mounted over some subtree?  The advantage is that that file
> system could be mounted read-only, nosuid, nodev, even noexec.

You can't use "nodev":

tron@colwyn:~>ls -l /var/chroot/named/dev
total 0
crw-rw-rw-  1 root  wheel   2, 2 Dec 27  2003 null
cr--r--r--  1 root  wheel  46, 0 Mar 12  2002 random

And without "nodev" somebody with root privileges can still escape
or at least cause damage. Maybe we need a "nomakedev" option?

	Kind regards

-- 
Matthias Scheler                                  http://scheler.de/~matthias/