>> [...chroot jail...]

> This is one of the multitude of problems that exist for chroot.

> The other is that you can create dev entries and thus gain access to
> the entire machine.

> Add to the list presented so far:
> 	Shouldn't be able to load modules into the kernel.

Hang on a minute here.

chroot is not a jail.  It can be part of a jail.  It can also be used
for other, completely different, purposes, many of which would be
broken by having it magically do a bunch of things to turn it into a
jail.

This is not to say that the missing pieces of a jail shouldn't be
added.  Just that they shouldn't be confused with chroot(2).  The
reason I've been talking about having chroot(2) ever do anything
magical for anyone is to keep non-root processes that are in jails
from (ab)using chroot(2) to break out of the chroot portion of the
jail.  Ideally, there would be two ways to chroot, a jail way and a
non-jail way.  tar, which IIRC is what started this discussion, would
want to do a non-jail chroot; other things would want to do a jail
chroot.  I haven't thought much about how this interacts with non-root
processes....

					der Mouse

			       mouse@rodents.montreal.qc.ca
		     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B