Subject: Re: Getting rid of /dev/veriexec
To: Elad Efrat <elad@NetBSD.org>
From: Steven M. Bellovin <firstname.lastname@example.org>
Date: 12/02/2005 09:00:03
In message <4390521C.9090707@NetBSD.org>, Elad Efrat writes:
>Can you give me an example of a root-owned process inside a chroot()?
>most, if not all examples of chroot() usage I know make sure to drop
ntpd. ftpd has to run as root part of the time, to bind to port 20.
apache keeps a portion of itself as root; suexec, if you use it (and
you probably should), always runs as root.
Elad, you've given your reasons why using sysctl isn't a problem. What
you haven't said clearly enough for me is why it's an advantage.
--Steven M. Bellovin, http://www.cs.columbia.edu/~smb