It feels like you are trying to convince someone that
chroot("/");
equals not being chrooted at all.
In my view several things happen when a pid is started in a chroot,
including
1. the dir used as a parameter for the chroot will always be its own parent
dir so that you may never again go above it. You may (haven't checked)
chroot yourself lower again, but not "stop" the chroot.
2. You may not create device nodes since that would make it easy to defeat
the chroot if root.
This list may be far longer, but I don't think the docs need fixing for the
chroot("/"); case when mknod:ing.
2014-06-08 17:44 GMT+02:00 Andres Perera <andre...@zoho.com>:
> On Sun, Jun 8, 2014 at 3:51 AM, Otto Moerbeek <o...@drijf.net> wrote:
> > On Sun, Jun 08, 2014 at 02:59:08AM -0430, Andres Perera wrote:
> >
> >> On Sun, Jun 8, 2014 at 2:24 AM, Janne Johansson <icepic...@gmail.com>
> wrote:
> >> > I don't think there is a word for "chroot back".
> >>
> >> I don't think you read, understood, and executed the sample.
> >>
> >> After chroot("/"), or chroot(FOO), you can't mknod(2), therefore the
> >> description is wrong.
> >
> > What part is wrong?
> >
> > "alternate" directory might happen to be / itself.
>
> Even though it's the same directory as the previous root directory?
>
> How is it alternate, then?
>
> What's alternating, other than the root directory, which is *the same*?
>
> Either make this fd_rdir check a string comparison in addition to a
> null-pointer check or change the docs instead of being confusing:
>
> int
> domknodat(struct proc *p, int fd, const char *path, mode_t mode, dev_t dev)
> {
> struct vnode *vp;
> struct vattr vattr;
> int error;
> struct nameidata nd;
>
> if ((error = suser(p, 0)) != 0)
> return (error);
> if (p->p_fd->fd_rdir)
> return (EINVAL);
> ^^^^
>
> While that's silly
> > to do it's still an alternate to an unchrooted /.
> >
> > -Otto
> >
>
--
May the most significant bit of your life be positive.
