Subject: Re: chroot(2)
To: NetBSD Kernel Technical Discussion List <tech-kern@netbsd.org>
From: Michael Graff <explorer@flame.org>
List: tech-kern
Date: 10/01/1998 22:19:28
woods@most.weird.com (Greg A. Woods) writes:
> there are a *lot* of things you need to turn off for any non-root
> process that wants to lock itself in a chroot'ed jail. You essentially
> have to assume there are only two valid user-ids, that of the process
> and zero, and you can't allow any setuid exec(), no mknod(), no symbolic
> or hard links out of the jail, and probably a bunch of other things I've
> forgotten, and of course setting up such a jail in a safe configuration
> is non-trivial.
I'd also like to have user and group level access to TCP/UDP ports.
That way, I can start up named in a chroot()ed directory, as a
non-root user, and still have it open port 53 at will.
--Michael