-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Brett" == Brett Lymn <blymn@baesystems.com.au> writes:
    >> So, chroot("/my/foo");
    >> 
    >> becomes the same as something: mount -o ro,nosuid,noexec,nodev -t
    >> union /something /my/foo chroot /my/foo
    >> 
    >> (where /something might even be /)
    >> 

    Brett> At which point I would be worried about a privilege
    Brett> escalation leading to my password database being snatched for
    Brett> offline cracking.  The nice thing about chroot is that you
    Brett> don't have the encrypted passwords laying about.

  right, there are different reasons for chroot().
  Sometimes, you *do* want to be able to read stuff. Maybe even
passwords. (think pop daemon...) Sometimes you do not.

- -- 
]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBQ2pECoqHRg3pndX9AQEQ6gQA7TTQzRhuPzeNbNs5Qqlmb0Tlx06ZDeWu
U3xSF/rZWK2fbWcXbKu6KsX/pPL2wvBVOvjKdfVaQHJD8S2aB+1Kx0i1thQ0z9Bp
Af8v8pzPE85Evs9MsjXAHq6Giz7M1YN20+srww0U8XeNjN1pEeYKGRydpY+IRB7N
1U2toToEf58=
=CaM3
-----END PGP SIGNATURE-----