On Tue, 2005-10-11 at 15:00 +0200, Bas Wijnen wrote: > On Tue, Oct 11, 2005 at 12:29:35PM +0200, Alfred M. Szmidt wrote: > > A obvious security exploit in the chroot() implementation (or really, > > file_reparent) and not in how passive translators work. If you want a > > secure chroot enviroment (right now atleast) then you should run a > > sub-hurd. Where this isn't possible (atleast, I have never been able > > to break out of a sub-hurd, and I have tried). So instead of using > > broken UNIXoid ideas like chroot, it would make far more sense to > > implement a light-weight sub-hurd which can be used like chroot. > > A problem here is that programs aren't and shouldn't be written solely for the > Hurd. People should want to write portable programs, which means they don't > want to use platform-specific extentions. This means a library is needed for > them. But chroot exists, and if you replace it by a library call, nobody will > use it.
There is a lot of truth in what you say, but it is less true today than you may believe. Precisely *because* applications wish to be portable, many are no longer written to operating system interfaces. Instead, they are written to toolkits like GTK. We did a fairly careful look at this for EROS recently. We were surprised at how many applications we would get simply by porting GTK. By far the biggest problem turns out to be autoconf. For that you really do need a POSIX emulator. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
