bug-hurd
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Server overriding; chroot


From: olafBuddenhagen
Subject: Re: Server overriding; chroot
Date: Wed, 19 Mar 2008 17:04:00 +0100
User-agent: Mutt/1.5.17+20080114 (2008-01-14)

Hi,

On Wed, Mar 19, 2008 at 02:15:22AM +0100, Pierre THIERRY wrote:
> Scribit olafBuddenhagen@gmx.net dies 18/03/2008 hora 16:38:

> > Now the problem is that a chrooted process can create a passive
> > translator. When this translated node is accessed, the translator
> > process currently won't be started in the context of the chrooted
> > process, but in that of the normal global filesystem -- it has
> > access to everything, and can pass it on to the chrooted process.
> 
> That really calls for capability discipline in the Hurd interfaces,
> I'd say (I'm not sure, but it may have been one of the reason the
> developers of the L4 port looked at capabilities). If the translator
> had to provide an explicit capability (whatever it would be in this
> case) that designate what it accesses, it should be relatively easier
> to secure the chroot.

I'm not sure what you mean here exactly.

When a translator is started, it gets a port to the underlying
filesystem node, from the process starting it (I think).

The problem is that passive translators are started by the parent
filesystem server to which they are attached, not by the process
accessing the node; thus they get a "normal", non-chrooted port, and
consequently have access to the whole filesystem tree.

One way to change this would be for the parent filesystem to take notice
that the process accessing the node is chrooted, and give the translator
only a chrooted port as well. Another way would be always to request the
port from the process accessing the node.

These are only two of the many variants I proposed in
http://tri-ceps.blogspot.com/2007/07/theory-of-filesystem-relativity.html
, and which were (somewhat) discussed in
http://lists.gnu.org/archive/html/gnu-system-discuss/2007-09/msg00118.html

> As I don't know the details of the communications between translators
> and the filesystem, I wonder: is there a documentation about it?

It is mentioned a bit here and there, but I don't know of any in-depth
documentation of this :-(

-antrik-




reply via email to

[Prev in Thread] Current Thread [Next in Thread]