Exit from os.chroot()

[Thomas Bellman]

Wolfgang Draxinger <wdraxinger at darkstargames.de> wrote:

> So you need some programs in your chroot: Then put a directory
> usr/bin into the chroot directory and bind the system's /usr/bin
> there:

> mount --bind /usr/bin $chroot/usr/bin

That might not be the best idea...  Suddenly the chroot:ed
program has access to the real /usr/bin; and since it likely is
running as root (it was allowed to call chroot()), it can do bad
things to the things in /usr/bin.  Even if the process has
relinquished its privileges (which it should!), you will give it
access to unnecessarily many programs, many of which are setuid
or setgid.

It is better to make copies of the needed binaries and libraries,
and *only* them.

> Another option
> would be to place a statically linked busybox and it's
> subprogram links into the chroot

Much better than bind-mounting (or loopback-mounting if you are
on SunOS/Solaris instead of Linux).  Of course, assuming that
busybox implements the command the OP needs. :-)

Also remember, a chroot:ing process should permanently relinquish
its privileges as soon as possible after chroot:ing.  There are
way too many fun things a root-running process can do even when
chroot:ed, like creating device files or setuid binaries.


All this is of course assuming that the chroot is done for
security reasons.  There are other reasons one might want to
run in chroot.


-- 
Thomas Bellman,   Lysator Computer Club,   Linköping University,  Sweden
"Life IS pain, highness.  Anyone who tells   !  bellman @ lysator.liu.se
 differently is selling something."          !  Make Love -- Nicht Wahr!