On Oct 4, der Mouse wrote
> Not necessarily true.  If you've set up a shadow system (say you're
> testing a new userland), you may have some services in inetd set up to
> chroot to the new tree before running their daemons...in which case you
> more or less *need* the new system to behave as much like a real system
> as possible, including having set-id binaries work.
> 

YES ! On my firewall, I run inetd in a chrooted env (with limited /dev,
limited binaries, etc ... of course all chflag'ed, kernel security level
is 2). This way, all network users have a limited environement. But I want,
when I log in from the network, to be able to su. I don't want to have to go
to the console to update /chroot/etc/master.passwd !

--
Manuel Bouyer, LIP6, Universite Paris VI.           Manuel.Bouyer@lip6.fr
--