Re: simple chroot environment rc.d script

To: iMil <imil%home.imil.net@localhost>
Subject: Re: simple chroot environment rc.d script
From: Thor Lancelot Simon <tls%panix.com@localhost>
Date: Thu, 23 Aug 2012 12:59:44 -0400

On Thu, Aug 23, 2012 at 03:46:06PM +0200, iMil wrote:
> 
> >you're going to use null mounts.  The most obvious issue is that a
> >full copy of /dev is provided to the application, when what you really
> 
> Well actually, it only creates the standards devices (MAKEDEV std), not
> a full copy:
> 
> constty  klog  ksyms  null    stdin   tty
> console  drum     kmem  mem    stderr  stdout  zero
> 
> But I probbaly don't need all of these, null, zero and random should be
> enough.

Actually, you probably need at least stdin, stdout, stderr, tty, and
possibly fdesc mounted on /dev/fd.  But providing a way for a chrooted
process to get a descriptor for drum, kmem, or mem is just not right.

Then, generally speaking, anything mounted writable should have nodev
and, unless there's some reason why not, noexec too.  That way you have
some chance of controlling what runs.

Thor

References:
- simple chroot environment rc.d script
  - From: iMil
- Re: simple chroot environment rc.d script
  - From: Thor Lancelot Simon
- Re: simple chroot environment rc.d script
  - From: iMil

Prev by Date: Re: 16bit ctype table
Next by Date: Re: 16bit ctype table
Previous by Thread: Re: simple chroot environment rc.d script
Next by Thread: Re: simple chroot environment rc.d script
Indexes:

Home | Main Index | Thread Index | Old Index