Subject: Re: chroot(2)
To: NetBSD Kernel Technical Discussion List <firstname.lastname@example.org>
From: Michael Graff <email@example.com>
Date: 10/01/1998 22:19:28
firstname.lastname@example.org (Greg A. Woods) writes:
> there are a *lot* of things you need to turn off for any non-root
> process that wants to lock itself in a chroot'ed jail. You essentially
> have to assume there are only two valid user-ids, that of the process
> and zero, and you can't allow any setuid exec(), no mknod(), no symbolic
> or hard links out of the jail, and probably a bunch of other things I've
> forgotten, and of course setting up such a jail in a safe configuration
> is non-trivial.
I'd also like to have user and group level access to TCP/UDP ports.
That way, I can start up named in a chroot()ed directory, as a
non-root user, and still have it open port 53 at will.