woods@most.weird.com (Greg A. Woods) writes:

> there are a *lot* of things you need to turn off for any non-root
> process that wants to lock itself in a chroot'ed jail.  You essentially
> have to assume there are only two valid user-ids, that of the process
> and zero, and you can't allow any setuid exec(), no mknod(), no symbolic
> or hard links out of the jail, and probably a bunch of other things I've
> forgotten, and of course setting up such a jail in a safe configuration
> is non-trivial.

I'd also like to have user and group level access to TCP/UDP ports.
That way, I can start up named in a chroot()ed directory, as a
non-root user, and still have it open port 53 at will.

--Michael