Subject: Re: i386 IO access and chroot()
To: Andrew Brown <firstname.lastname@example.org>
From: Michael Richardson <email@example.com>
Date: 07/17/2001 21:11:08
>>>>> "Andrew" == Andrew Brown <firstname.lastname@example.org> writes:
>> (I do not even think that the fchdir() checks should be done. I've used
>> used the fact that you can fchdir() out of the chroot in some applications)
Andrew> from vfs_syscalls.c:
Andrew> so you can't do that here. not since march '99.
Yes, I know.
I did this in... 1995 on a different OS.
I understand why we did that. I do not disagree.
I claim that we should instead introduce a different a la jail(2) that does
this, and also more.
] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] email@example.com http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [