tech-security: Re: i386 IO access and chroot()

Subject: Re: i386 IO access and chroot()
To: Andrew Brown <atatat@atatdot.net>
From: Michael Richardson <mcr@sandelman.ottawa.on.ca>
List: tech-security
Date: 07/17/2001 21:11:08

>>>>> "Andrew" == Andrew Brown <atatat@atatdot.net> writes:
    >> (I do not even think that the fchdir() checks should be done. I've used
    >> used the fact that you can fchdir() out of the chroot in some applications)

    Andrew> from vfs_syscalls.c:

    Andrew> so you can't do that here.  not since march '99.

  Yes, I know.
  I did this in... 1995 on a different OS.
  I understand why we did that. I do not disagree. 

  I claim that we should instead introduce a different a la jail(2) that does
this, and also more.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson, Sandelman Software Works, Ottawa, ON    |net architect[
] mcr@sandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy");  [