diff options
author | phk <phk@FreeBSD.org> | 1999-03-23 14:26:40 +0000 |
---|---|---|
committer | phk <phk@FreeBSD.org> | 1999-03-23 14:26:40 +0000 |
commit | e1c9acedca824cb3a177d665495a51bcebd0763a (patch) | |
tree | e118eebefa3e4bc2de7c8493dee101fd9faa6490 /lib | |
parent | a6cff8a40588e5200eaa3635409eaf799058be7d (diff) | |
download | FreeBSD-src-e1c9acedca824cb3a177d665495a51bcebd0763a.zip FreeBSD-src-e1c9acedca824cb3a177d665495a51bcebd0763a.tar.gz |
Add a sysctl variable which can help stop chroot(2) escapes.
kern.chroot_allow_open_directories = 0
chroot(2) fails if there are open directories.
kern.chroot_allow_open_directories = 1 (default)
chroot(2) fails if there are open directories and the process
is subject of a previous chroot(2).
kern.chroot_allow_open_directories = anything else
filedescriptors are not checked. (old behaviour).
I'm very interested in reports about software which breaks when
running with the default setting.
Diffstat (limited to 'lib')
-rw-r--r-- | lib/libc/sys/chroot.2 | 31 |
1 files changed, 29 insertions, 2 deletions
diff --git a/lib/libc/sys/chroot.2 b/lib/libc/sys/chroot.2 index 10a9b5e..01258da 100644 --- a/lib/libc/sys/chroot.2 +++ b/lib/libc/sys/chroot.2 @@ -60,7 +60,33 @@ It should be noted that has no effect on the process's current directory. .Pp This call is restricted to the super-user. -.Sh RETURN VALUES +.Pp +Depending on the setting of the +.Ql kern.chroot_allow_open_directories +sysctl variable, open filedescriptors which reference directories +will make the +.Fn chroot +fail as follows: +.Pp +If +.Ql kern.chroot_allow_open_directories +is set to zero, +.Fn chroot +will always fail with EPERM if there are any directories open. +.Pp +If +.Ql kern.chroot_allow_open_directories +is set to one (the default), +.Fn chroot +will fail with EPERM if there are any directories open and the +process is already subject to a +.Fn chroot +call. +.Pp +Any other value for +.Ql kern.chroot_allow_open_directories +will bypass the check for open directories +.Pp Upon successful completion, a value of 0 is returned. Otherwise, a value of -1 is returned and .Va errno @@ -72,7 +98,8 @@ will fail and the root directory will be unchanged if: .It Bq Er ENOTDIR A component of the path name is not a directory. .It Bq Er EPERM -The effective user ID is not the super-user. +The effective user ID is not the super-user, or one or more +filedescriptors are open directories. .It Bq Er ENAMETOOLONG A component of a pathname exceeded 255 characters, or an entire path name exceeded 1023 characters. |