On Thu, Dec 6, 2012 at 5:46 AM, matthew green <m...@eterna.com.au> wrote: > >> I've reread the whole thread but I don't understand how fch* and fexec* >> differ. >> As far as I can see all they cause the same sort of problems. >> So, a solution should be the same for all of them. > > AFAIK (i didn't write a test), fchroot() outside of the chroot > is already disallowed by the kernel.
Yes, this is why I said that we can easily "protect" fexec* just like we do with fch*. Open file descriptor passed to another chroot via fexec* is not a problem at all. If we _are_ able to restrict fch*, we will be able to do the same with fexec*. > this, among several other additional changes our chroot support > has, are why netbsd chroots are a better base for security than > other platforms chroots. I think proposed fexecve cannot weaken NetBSD chroot. O_EXEC and a moment in time when permissions are checked is another question.
