Subject: Re: i386 IO access and chroot()
To: gabriel rosenkoetter <>
From: Michael Richardson <>
List: tech-security
Date: 07/17/2001 15:28:14
>>>>> "gabriel" == gabriel rosenkoetter <> writes:
    gabriel> While we're at it, shall chroot() disallow compromised services
    gabriel> running within a jail from attacking other hosts? Seems within the
    gabriel> same scope to me. (That is, I just don't think it's doable.)

  chroot(2) should not.
  (I do not even think that the fchdir() checks should be done. I've used
used the fact that you can fchdir() out of the chroot in some applications)
  But, I think that we should offer a facility like jail(2), etc. that does
what is being asked for. 

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [