Skip to content

ACP: std::os::unix::process::CommandExt::chroot #551

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
joshtriplett opened this issue Feb 27, 2025 · 3 comments
Closed

ACP: std::os::unix::process::CommandExt::chroot #551

joshtriplett opened this issue Feb 27, 2025 · 3 comments
Labels
ACP-accepted API Change Proposal is accepted (seconded with no objections) api-change-proposal A proposal to add or alter unstable APIs in the standard libraries T-libs-api

Comments

@joshtriplett
Copy link
Member

joshtriplett commented Feb 27, 2025
edited
Loading

Proposal

Problem statement

We provide std::os::unix::fs::chroot to provide a safe interface to chroot. However, we don't provide any safe way to run a child process in a chroot.

Solution sketch

// In `std::os::unix::process`, along with corresponding `impl`:
trait CommandExt {
    /// Set the root of the child process. This calls `chroot` in the child process before executing
    /// the command.
    ///
    /// This happens before changing to the directory specified with `Command::current_dir`, and
    /// that directory will be relative to the new root. If no directory has been specified with
    /// `Command::current_dir`, this will set the directory to `/`, to avoid leaving the current
    /// directory outside the chroot.
    fn chroot<P: AsRef<Path>>(&mut self, dir: P) -> &mut process::Command;
}

Alternatives

The proposed interface automatically sets the current directory for the child process if it isn't yet set, to avoid ending up in the situation where the current directory is outside the chroot. We could, instead, leave the current directory untouched, and leave the user responsible for calling current_dir themselves. However, I think it's worth not exposing the weird situation to users. If users really want to end up in that weird situation (e.g. because they're trying to write code that busts out of a chroot) they can make direct syscalls.

What happens now?

This issue contains an API change proposal (or ACP) and is part of the libs-api team feature lifecycle. Once this issue is filed, the libs-api team will review open proposals as capability becomes available. Current response times do not have a clear estimate, but may be up to several months.

Possible responses

The libs team may respond in various different ways. First, the team will consider the problem (this doesn't require any concrete solution or alternatives to have been proposed):

  • We think this problem seems worth solving, and the standard library might be the right place to solve it.
  • We think that this probably doesn't belong in the standard library.

Second, if there's a concrete solution:

  • We think this specific solution looks roughly right, approved, you or someone else should implement this. (Further review will still happen on the subsequent implementation PR.)
  • We're not sure this is the right solution, and the alternatives or other materials don't give us enough information to be sure about that. Here are some questions we have that aren't answered, or rough ideas about alternatives we'd want to see discussed.
@joshtriplett joshtriplett added api-change-proposal A proposal to add or alter unstable APIs in the standard libraries T-libs-api labels Feb 27, 2025
@joshtriplett joshtriplett mentioned this issue Feb 27, 2025
Merged
@joshtriplett
Copy link
Member Author

Implementation at rust-lang/rust#137759 .

@Amanieu
Copy link
Member

Amanieu commented May 20, 2025

ACP approved in the @rust-lang/libs-api meeting.

@Amanieu Amanieu added the ACP-accepted API Change Proposal is accepted (seconded with no objections) label May 20, 2025
@joshtriplett joshtriplett mentioned this issue May 20, 2025
Open
4 tasks
@joshtriplett
Copy link
Member Author

Tracking issue created. Thank you!

bors added a commit to rust-lang-ci/rust that referenced this issue May 21, 2025
@bors
Auto merge of rust-lang#137759 - joshtriplett:command-chroot, r=Amanieu
0424534 
Add `std::os::unix::process::CommandExt::chroot` to safely chroot a child process

This adds a `chroot` method to the `CommandExt` extension trait for the
`Command` builder, to set a directory to chroot into. This will chroot
the child process into that directory right before calling chdir for the
`Command`'s working directory.

To avoid allowing a process to have a working directory outside of the
chroot, if the `Command` does not yet have a working directory set,
`chroot` will set its working directory to "/".

---

ACP: rust-lang/libs-team#551

This PR currently has the tracking issue set to "none"; if the ACP is approved,
I'll file a tracking issue and update the PR.
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue May 21, 2025
@matthiaskrgr
Rollup merge of rust-lang#137759 - joshtriplett:command-chroot, r=Ama…
7b4f7a3 
…nieu

Add `std::os::unix::process::CommandExt::chroot` to safely chroot a child process

This adds a `chroot` method to the `CommandExt` extension trait for the
`Command` builder, to set a directory to chroot into. This will chroot
the child process into that directory right before calling chdir for the
`Command`'s working directory.

To avoid allowing a process to have a working directory outside of the
chroot, if the `Command` does not yet have a working directory set,
`chroot` will set its working directory to "/".

---

ACP: rust-lang/libs-team#551

This PR currently has the tracking issue set to "none"; if the ACP is approved,
I'll file a tracking issue and update the PR.
rust-timer added a commit to rust-lang-ci/rust that referenced this issue May 21, 2025
@rust-timer
Unrolled build for rust-lang#137759
3a0bcde 
Rollup merge of rust-lang#137759 - joshtriplett:command-chroot, r=Amanieu

Add `std::os::unix::process::CommandExt::chroot` to safely chroot a child process

This adds a `chroot` method to the `CommandExt` extension trait for the
`Command` builder, to set a directory to chroot into. This will chroot
the child process into that directory right before calling chdir for the
`Command`'s working directory.

To avoid allowing a process to have a working directory outside of the
chroot, if the `Command` does not yet have a working directory set,
`chroot` will set its working directory to "/".

---

ACP: rust-lang/libs-team#551

This PR currently has the tracking issue set to "none"; if the ACP is approved,
I'll file a tracking issue and update the PR.
github-actions bot pushed a commit to model-checking/verify-rust-std that referenced this issue May 23, 2025
@matthiaskrgr
Rollup merge of rust-lang#137759 - joshtriplett:command-chroot, r=Ama…
02d9329 
…nieu

Add `std::os::unix::process::CommandExt::chroot` to safely chroot a child process

This adds a `chroot` method to the `CommandExt` extension trait for the
`Command` builder, to set a directory to chroot into. This will chroot
the child process into that directory right before calling chdir for the
`Command`'s working directory.

To avoid allowing a process to have a working directory outside of the
chroot, if the `Command` does not yet have a working directory set,
`chroot` will set its working directory to "/".

---

ACP: rust-lang/libs-team#551

This PR currently has the tracking issue set to "none"; if the ACP is approved,
I'll file a tracking issue and update the PR.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
ACP-accepted API Change Proposal is accepted (seconded with no objections) api-change-proposal A proposal to add or alter unstable APIs in the standard libraries T-libs-api
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@joshtriplett @Amanieu