On Fri, 2005-10-14 at 15:19 +0200, Marcus Brinkmann wrote: > At Fri, 14 Oct 2005 14:44:49 +0200, > Bas Wijnen <[EMAIL PROTECTED]> wrote: > > If the chrooted filesystem contains an active translator, it will > > (correctly) > > have a different root. This can be used to construct communication > > channels, > > but I feel it would also generate accidental channels. > > This is always true. If you give somebody a capability that allows > you to retrieve further capabilities, then yes, you give potentially > all those other capabilities to the process as well. > > But note that if the task is confined, it can not get such a > capability from the constructor. So, the instantiator would > explicitely give it such a capability. You can shoot yourself in the > foot.
Marcus has it, but here is a more precise way to state what he says: The purpose of a chroot environment is to prevent escape. If there existed some way to accomplish it, we would usually be happy to let the chroot environment share **purely read only** state with our larger environment. For example, it is silly to make multiple copies of /bin/ls. The only catch with purely read-only sharing is that, of course, there will be *some* content that we do *not* want to put in the chroot environment. So we simply shouldn't do that. In practice, I suggest that this is a matter of configuration. shap _______________________________________________ L4-hurd mailing list [email protected] http://lists.gnu.org/mailman/listinfo/l4-hurd
