Am Samstag, den 18.12.2010, 18:09 +0100 schrieb Gregory Bellier: > Hi ! > > For security reasons, I would like to chroot a child process but I > can't do it unless this process is root. > How does it work exactly ?
If everybody could chroot it would be possible to change passwords and do other privileged operations in the new chroot (it depends on the OS how dangerous this really is, but POSIX assumes it is dangerous). Because of this it is restricted to root. Furthermore, chroot is not designed for enhancing the security. A root process can undo chroot (look it up in the web, it's tricky but possible). If a normal user could chroot, everybody could also break out. So, usually you would start a new process as root, establish the chroot there, and setuid to a non-privileged user for doing the real work. If you cannot start as root, you could alternatively also set the setuid bit of the executable. However, running a process with setuid root adds new security dangers, so it is questionable whether you can improve the overall security by such means. I'd advise not to use chroot unless you exactly understand what you are doing. Gerd > Thanks in advance. > Gregory. > > _______________________________________________ > Caml-list mailing list. Subscription management: > http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list > Archives: http://caml.inria.fr > Beginner's list: http://groups.yahoo.com/group/ocaml_beginners > Bug reports: http://caml.inria.fr/bin/caml-bugs > -- ------------------------------------------------------------ Gerd Stolpmann, Bad Nauheimer Str.3, 64289 Darmstadt,Germany g...@gerd-stolpmann.de http://www.gerd-stolpmann.de Phone: +49-6151-153855 Fax: +49-6151-997714 ------------------------------------------------------------ _______________________________________________ Caml-list mailing list. Subscription management: http://yquem.inria.fr/cgi-bin/mailman/listinfo/caml-list Archives: http://caml.inria.fr Beginner's list: http://groups.yahoo.com/group/ocaml_beginners Bug reports: http://caml.inria.fr/bin/caml-bugs