I wrote: : P.S. It's hard for a portable chroot tool to cut off a program's network : access. Kernel designers should provide a disablenetwork() syscall, with : the disabling inherited by children.
I've set up a web page http://cr.yp.to/unix/disablenetwork.html discussing this and surveying the system-specific suggestions that people have sent to me. Further contributions are welcome. ---D. J. Bernstein, Associate Professor, Department of Mathematics, Statistics, and Computer Science, University of Illinois at Chicago
