[lxc-devel] Reg:DIfference between chroot & pivot_root

Michael H. Warfield mhw at WittsEnd.com
Tue Sep 6 17:43:11 UTC 2011 

On Tue, 2011-09-06 at 13:02 -0400, Alphonse Hansel Anthony wrote: 
> Hi,
>    What is the difference between chroot & pivot_root.
>    They don't seem obvious based on the man pages apart from the below
> mentioned
>    caveats.

> 1) Inherited Open file descriptors, have to be explicitly closed.
>    2) Does not change CWD of the process, which can be overcome by doing a
> chdir before & after chroot call.

> Any information on this would be useful.

Operationally and functionally these two things would appear to be very
very similar and they do similar things.  The change the root pointer
for "/" to point at a new location.  There are some subtle differences
in there that I will leave to others to describe.  One not so subtle
difference is that, if you execute a pivot_root you affect everything in
that context.  If it's a container, you only impact the container.  If
you do it on the host, it's the entire OS that's impacted.

For me, the real difference is the security aspects.  The chroot action
has some known security holes.  They are NOT really considered "bugs"
per say but "design characteristics" and not likely to ever be really
"fixed" per se.  The OpenVZ bunch and/or maybe the Linux-Vservers bunch
came up with their own solutions to the chroot holes that allow a
superuser in a chrooted environment to "escape" and either leak
information or access information or influence activities outside of the
chrooted environment.  The pivot_root action performs the same activity
without those security problems and without the need to "fix" chroot.
Which is why Daniel switched from chroot to pivot_root ages ago.

All that being said, pivot_root is not without it's own set of problems
and things got broken and fixed along that road too.  We're still
dealing with other leakage and escape methods which are outside of the
whole chroot / pivot_root context as well.

> Thanks,
> Alphonse

I think I got that all right.  :-P

Regards,
Mike
-- 
Michael H. Warfield (AI4NB) | (770) 985-6132 |  mhw at WittsEnd.com
   /\/\|=mhw=|\/\/          | (678) 463-0932 |  http://www.wittsend.com/mhw/
   NIC whois: MHW9          | An optimist believes we live in the best of all
 PGP Key: 0x674627FF        | possible worlds.  A pessimist is sure of it!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: This is a digitally signed message part
URL: <http://lists.linuxcontainers.org/pipermail/lxc-devel/attachments/20110906/ca5a1f68/attachment.pgp>

More information about the lxc-devel mailing list