Subject: Re: Getting rid of /dev/veriexec
To: Elad Efrat <>
From: Steven M. Bellovin <>
List: tech-kern
Date: 12/02/2005 09:00:03
In message <>, Elad Efrat writes:
>Can you give me an example of a root-owned process inside a chroot()?
>most, if not all examples of chroot() usage I know make sure to drop
>root privileges.

ntpd.  ftpd has to run as root part of the time, to bind to port 20.  
apache keeps a portion of itself as root; suexec, if you use it (and 
you probably should), always runs as root.

Elad, you've given your reasons why using sysctl isn't a problem.  What 
you haven't said clearly enough for me is why it's an advantage.

		--Steven M. Bellovin,