Subject: Re: chroot(2)
To: der Mouse <mouse@Rodents.Montreal.QC.CA>
From: Simon J. Gerraty <email@example.com>
Date: 10/04/1998 22:27:39
der Mouse writes:
> > I hate having to start proxies as root _just_ so they can chroot(2).
> Yeah...I tend to use chroot(8) to do the chroot, then have a tiny
But you still need to start as root. I'm talking about code I
basically trust, that I would prefer to start from inetd as nobody
rather than root.
matthew green <firstname.lastname@example.org> writes:
> personally, i've hacked chroot(8) to take -u, -g and -G arguments to
> set the user, group and group list of the process run in the chroot.
This sounds like a good idea.
I still like the idea of being able to dissable syscalls for a process
and its children. I think it would be worthwhile though to avoid
limiting the feature to non-root chroot(2)'d processes. Though I'm
not suggesting that MLS is necessary (the hacks I mentioned mjr
refering to were to demonstrate how trivial it is to achieve much of
what MLS promises).