[Cialug] CAP_SYS_CHROOT
Todd Walton
tdwalton at gmail.com
Wed Mar 9 16:13:30 UTC 2022
Are there any security implications of giving a process the CAP_SYS_CHROOT
capability? It seems like CAP_SYS_CHROOT's very existence would imply that
the kernel developers consider it something you might *not* want to grant.
But surely a process using chroot could only result in it having the same
or fewer permissions/privileges. Never more.
I understand the argument that "chroot is not a security feature". Yes,
yes. But it couldn't make things worse, could it? In what situations would
I *not* want to grant CAP_SYS_CHROOT?
--
Todd
More information about the Cialug
mailing list