Subject: Re: chroot(2)
To: None <email@example.com>
From: der Mouse <mouse@Rodents.Montreal.QC.CA>
Date: 10/04/1998 22:31:22
>> However, if *root* did the chroot, there's no need to disable
>> set-id. That's why I proposed a separate state bit for the process,
>> indicating that it has done a non-root chroot.
> "however, if *root* did the chroot, there's no need"...for root to
> run a suid binary to regain privileges.
Not necessarily true. If you've set up a shadow system (say you're
testing a new userland), you may have some services in inetd set up to
chroot to the new tree before running their daemons...in which case you
more or less *need* the new system to behave as much like a real system
as possible, including having set-id binaries work.
chroot isn't just for jails.
7D C8 61 52 5D E7 2D 39 4E F1 31 3E E8 B3 27 4B