Subject: Re: extending chroot()
To: Steven M. Bellovin <>
From: Bill Studenmund <>
List: tech-security
Date: 01/17/2003 13:31:46
On Fri, 17 Jan 2003, Steven M. Bellovin wrote:

> In message <
> >, Bill Studenmund writes:
> >On Thu, 16 Jan 2003, Steve Bellovin wrote:
> >
> >I think that's a good idea, but I'd rather we not blanket disable
> >setuid/setgid bits if root does the chroot. In addition to running
> >servers, chroot is good for emulating old versions of the OS. For
> >instance, I think a number of folks who run -current compile packages for
> >-release in a chroot. It would be nice to have normal setuid/setgid
> >semantics there.
> Hmm -- I thought the new toolchain was the way to handle that.

While the new toolchain stuff will let us do that for our source, it won't
help pkgsrc since most packages don't really use it. Also, for a bulk
build, you usually want to make sure that only the packages dependeed on
by a package are installed, so you uninstall/install a lot. A separate
chroot helps that.

Take care,