On Mon, Jul 20, 2015 at 10:41:08AM -0600, Theo de Raadt wrote:
> > On Mon, Jul 20, 2015 at 12:04:43PM -0400, Ted Unangst wrote:
> > > chroot is probably the best comparision. yes, we provide a chroot(1), but
> > There is no chroot(1). :p
> >
> > > practically nothing uses it. everything is instead calling chroot(2) on
> > > its
> > > own. the things that do use chroot(1) are doing so for specialized
> > > namespace
> > > reasons, not for sandboxing.
> >
> > I have a huge counter-example: dpb.
> > Specifically, chroot(8) does the nice usercontext thingies that would be
> > cumbersome to do from perl.
>
> chroot was only used as a partial example.
>
> I have the same concerns with tame(1).
>
> First, it is very premature. Secondly, TAME_EXEC is a very nasty semantic.
>
> Most importantly the purpose of tame is to allow a programmer to seperate
> their initial-setup from the main-loop processing. By tagging the unix
> feature-set into a simple "effect" classifications, it also guides the
> programming of general purpose unix tools, guiding them towards privdrop,
> privsep; or if they have no specific priv-slit happening, at minimum it
> constraints most to files-only or network-only behaviours.
>
> >From the outside, a regular user is not going to know the system features
> and semantics that a program uses, not in a detailed fashion.
>
> "tame -a firefox doesn't work. Is tame broken?"
>
> We don't need that kind of grief.
>
>
Sorry, should have made things clearer. I just meant that chroot was
a bad comparison. I can't see any sane use of a tame(1) at the
moment.