search for: sys_chroot

...r parts of code). With SELinux, we can avoid giving out setuid, setgit capabilities to the very limited SELinux users which is very desirable (we can't switch SELinux context in chroot, so we had to have these permissions to drop uid and gid). The new behavior drops all capabilities (except SYS_CHROOT) before chroot and the SYS_CHROOT capability just after it. Even if the first attempt fails (prevented by SELinux), the privileges are dropped as before using permanently_set_uid(). This patch is implemented using libcap-ng [1] library, which is making the use of the Linux capabilities much easier...

I suspect this has been asked before but I'll ask anyway. Q1: Is it possible for a non-root process to perform a chroot? My interest is this: I have a typical ISP hosting account (verio; on a FreeBSD 4.4 server.) I'd like to install and run various CGI packages, yet protect myself (and my email, and my .ssh keys) from bugs being exploited in those CGI packages. Chroot at the start

Hi all I'm facing an issue while running dovecot inside a singularity (https://sylabs.io/singularity/) container dovecot version is 2.3.4.1 (configuration below) running on debian buster, inside a container made with singularity version 3.4.2 unfortunately, when I try to start dovecot, it gives: Singularity test.sif:~> cat /var/log/mail.log Dec 30 17:23:38 testnode dovecot: master:

...2.org Currently sshd exits with fatal error if it see ChrootDirectory option when running as non-root, https://github.com/openssh/openssh-portable/blob/c38905ba391434834da86abfc988a2b8b9b62477/session.c#L1591 . This is wrong on Linux as there non-root process can perform chroot as long as it has SYS_CHROOT effective capability. So the code should either query the capability or the check should be removed as sshd treats any chroot syscall errors as fatal in any case. -- You are receiving this mail because: You are watching the assignee of the bug.

Have you tried setting linux capabilities, like NET_BIND_SERVICE,CHOWN,SYS_CHROOT,SETGID? Have you checked the permissions of paths? I had to relocate the run dir with things like these && mkdir /var/dovecot \ && mkdir /var/lib/dovecot \ && (umask 027 ; mkdir /var/dovecot/login) \ && (umask 022 ; mkdir /var/dovecot/empty) \...

...ib/samba/sysvol/thecompumax.com/scripts read only = No -------------------- /etc/hosts 127.0.0.1 localhost 192.168.2.3 compumaxdc03.thecompumax.com compumaxdc03 -------------------- /etc/apparmor.d/usr/sbin.named capability net_bind_service, capability setgid, capability setuid, capability sys_chroot, capability sys_resource, /etc/bind/** r, /var/lib/bind/** rw, /var/lib/bind/ rw, /var/cache/bind/** lrw, /var/cache/bind/ rw, # Database file used by allow-new-zones /var/cache/bind/_default.nzd-lock rwk, # gssapi /etc/krb5.keytab kr, /etc/bind/krb5.keytab kr, # gssapi...

> > > > *named.conf.options* > > > > options { > > > > directory "/var/cache/bind"; > > > > > > > > // If there is a firewall between you and nameservers you want > > > > // to talk to, you may need to fix the firewall to allow > > multiple > > > > // ports to talk.

...+337,13 @@ root_device_name += 5; } + if (ROOT_DEV == Root_InitRamFS) + goto done; + + mount_devfs(); + + md_run_setup(); + is_floppy = MAJOR(ROOT_DEV) == FLOPPY_MAJOR; /* This has to be before mounting root, because even readonly mount of reiserfs would replay @@ -382,5 +363,7 @@ sys_chroot("."); security_sb_post_mountroot(); mount_devfs_fs (); +done: + return; } diff -Nru a/kernel/sysctl.c b/kernel/sysctl.c --- a/kernel/sysctl.c Thu May 22 15:40:37 2003 +++ b/kernel/sysctl.c Thu May 22 15:40:37 2003 @@ -37,10 +37,6 @@ #include <linux/security.h> #include <...