[PATCH 1/3] enabled chroot for all users

From: Tal Tchwella This patch enables chroot for all users, not just root users, by disabling the appropriate checks in fs/open.c. It also disables nested chroots by non-root users, so they will not be able to break out of a chroot using classic techniques. Signed-off-by: Tal Tchwella --- fs

[PATCH 2/3] socket checks for uds fds transfer

From: Tal Tchwella This patch checks whether another user is trying to send a chrooted application by a non-root user a fd to a directory, which will allow it to escape. By preventing this kind of fd transfer to chrooted applications by non-root users, certain security risks are mitigated

[PATCH 0/3] Patches to enable chroot for all users

From: Tal Tchwella I want to suggest adding chroot capability to all users. The following patches enable that capability, while considering the security mechanism needed to disable escape routes for chroots by non-root users, and keeping chroot backward-compatible for root users. The first

[PATCH 3/3] open fds check when starting chroot

From: Tal Tchwella This patch checks for open fds to directories when a non-root user tries to chroot, and does not allow that user to chroot if the application has an open fd to a directory because the appilcation has an escape path with that fd. Signed-off-by: Tal Tchwella --- fs/open.c

[PATCH 1/3] enabled chroot for all users

This patch enables chroot for all users, not just root users, by disabling the appropriate checks in fs/open.c. It also disables nested chroots by non-root users, so they will not be able to break out of a chroot using classic techniques. Signed-off-by: Tal Tchwella --- fs/exec.c

[PATCH 0/3] Patches to enable chroot for all users

the option for applications that have open fds to directories to be chrooted by a non-root user. Any comments, feedback and suggestions are appreciated! Thanks, Tal Tal Tchwella (3): enabled chroot for all users socket checks for uds fds transfer open fds check when starting chroot fs

[PATCH 3/3] open fds check when starting chroot

This patch checks for open fds to directories when a non-root user tries to chroot, and does not allow that user to chroot if the application has an open fd to a directory because the appilcation has an escape path with that fd. Signed-off-by: Tal Tchwella --- fs/open.c | 24

[PATCH 2/3] socket checks for uds fds transfer

This patch checks whether another user is trying to send a chrooted application by a non-root user a fd to a directory, which will allow it to escape. By preventing this kind of fd transfer to chrooted applications by non-root users, certain security risks are mitigated. Signed-off-by: Tal