grsecurity forums

Hi,

As per chroot privilege setup, chroot must be called by root user. But our application requires one more normal user to call chroot very badly . Is there any Grsec chroot config parameter to help me out of this ? Any other suggestion would be helpful.

Thanks,
Jai

No way with grsecurity to do this.

You need to be root to do this. You could create a suid binary that gets root, does the chroot, and then drops back down to the previous user's privileges. If you need something more persistent than that (ie; sub processes need to call chroot), then you can instead have the suid binary get root, drop all capabilities except CAP_SYS_CHROOT, and drop back down to the user privileges. That will make that process (and any sub-process, I believe) able to make the chroot system call without being root.

Or there might be another way to add a capability (CAP_SYS_CHROOT) to a binary, process, or user, with some of the libcap userspace utilities (setpcaps, sucap, etc) but I'm not aware of how to do this for your situation.

Very much thanks for your support. I guess adding CAP_SYS_CHROOT capability to my user must solve my problem . But googling around on how to do this doesn't yield any good result. If possible can you please guide me to the solution of adding this capability to my user !. Thanks in advance.

I did some searching and found a pam_capability module. I compiled it on my system (centos 5) and the module in debug mode says it's successful, and I also see this output:

$ /usr/sbin/getpcaps $$
Capabilities for `5841': = cap_sys_chroot+i

But trying to do the chroot syscall didn't actually work. Not sure why yet. I found the code on google code:

http://code.google.com/p/pamcap/

It hasn't been updated since September 2002, and says it has only been tested on 2.4 kernels. If I have time tonight I'll take a deeper look into this.