| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <1323364518.10724.65.camel@lenny> Date: Thu, 08 Dec 2011 12:15:17 -0500 From: Colin Walters <walters@...bum.org> To: Arnd Bergmann <arnd@...db.de> Cc: John Stoffel <john@...ffel.org>, LKML <linux-kernel@...r.kernel.org> Subject: Re: chroot(2) and bind mounts as non-root On Thu, 2011-12-08 at 17:04 +0000, Arnd Bergmann wrote: > I think the better question to ask is what is missing from 'schroot', which > is commonly used for exactly this purpose. Is it just about avoing the > suid bit for /usr/bin/schroot or something else? The trust model for schroot is that it only allows executing code downloaded from URLs in /etc/schroot/schroot.conf. That means it requires root for the initial setup to edit that config file, which disqualifies it from my use case (no part of the compilation should require root). In my approach, you can keep the OS tree (/usr/include, /usr/bin/gcc) owned by the user - there is absolutely no root-owned process running under any indirect control of the user (except the tiny bit for my new setuid binary). Now ultimately to *run* your installed program locally (say you're hacking on a system daemon like gdm), then clearly you need root. But nothing before that should. And if you're not running it locally (e.g. you're cross compiling, running a build server which distributes binaries to other machines), then there is no root required. -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/
Powered by blists - more mailing lists