Alan wrote:
I think Jay's concern with IA32/AMD-64 is that if someone does inject
precompiled binaries, he doesn't want them to actually be able to run.
There are folk who will argue that getting the right precompiled
binaries is trivial.
So run everything network facing in Hercules, and hercules chrooted to a
nobody user in a chroot dir containing only the hercules environment and
support files. Pass the handle of the tunnel device in as a file
descriptor with a hack and off you go.
Xen is probably better than chroot now. He could run his spartan Gentoo
running Hercules inside Xen. The Xen guest (DomU) could mount its
filesystems ro, and noexec where exec's not required.
The spare power could run his build/test environments.
--
Cheers
John
-- spambait
[EMAIL PROTECTED] [EMAIL PROTECTED]
Please do not reply off-list
----------------------------------------------------------------------
For LINUX-390 subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit
http://www.marist.edu/htbin/wlvindex?LINUX-390
