[Bug 3715] safely_chroot is a little too restrictive: noexec or nosuid should be enough

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jul 31 14:47:17 AEST 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3715

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
One problem here is that statvfs() isn't specified to return ST_NOEXEC
and ST_NODEV https://pubs.opengroup.org/onlinepubs/9799919799/ and
indeed quite a few operating systems don't do it:

https://man.freebsd.org/cgi/man.cgi?query=statvfs
https://man.openbsd.org/statvfs.3
https://developer.apple.com/library/archive/documentation/System/Conceptual/ManPages_iPhoneOS/man3/statvfs.3.html
https://docs.oracle.com/cd/E86824_01/html/E54765/statvfs-2.html

I thought it might be better to use statfs() here, which is specified
to offer this, even though it isn't POSIX but that comes with its own
problems as the f_flags isn't really specified there at all, e.g. 

https://man.openbsd.org/statfs.2

Practically here, f_flags gets set to the mount flags as per
https://man.openbsd.org/mount.2 - most other operating systems document
this.

It's a pity that POSIX.1-2024  didn't improve statvfs(3)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list