--jI8keyz6grp/JLjh
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Tue, Nov 01, 2005 at 07:49:59PM -0500, Steven M. Bellovin wrote:
> I'm thinking out loud here, so I may easily be confused, but...
>=20
> What if we replaced the chroot() system call by an overlay file
> system, mounted over some subtree?  The advantage is that that file
> system could be mounted read-only, nosuid, nodev, even noexec.

The problem I see with nodev is that that means we don't have /dev/null.=20
My understanding is that chroot environments often need a _few_ devices,=20
and with nodev they get none.

Also, overlay file systems add vnode overhead. If we need it, it's good.=20
But I'm not sure if I feel comfortable with us making one for each chroot=
=20
environment.

I'd say that either systrace or something like Solaris's capabilities=20
would be a good route to go. If we make making device nodes a "capability"=
=20
and the chroot processes don't have it, no new devices. :-)

Take care,

Bill

--jI8keyz6grp/JLjh
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (NetBSD)

iD8DBQFDasC+Wz+3JHUci9cRAn0/AJ48LBYO7mVA+HfpoNzEhsewwA7qxQCfc42s
T1o/vEelIS/v6gE9sS2kTIY=
=mXob
-----END PGP SIGNATURE-----

--jI8keyz6grp/JLjh--