Hi Norbert! On 5/23/06, Norbert P. Copones <[EMAIL PROTECTED]> wrote:
he/she can copy the necessary libs/bin/deps to the chroot dir. why mount-bind the real /? the security essence of chroot will be lost. still if its root process, its very possible for the process to escape out of chroot. its a very known bug/limitation of chroot.
The copy can happen, yes, if s/he can get out of the chroot in the first place, or when s/he can get the binaries from somewhere (say over a network) and/or build from source. But then again, you wouldn't want to have build tools in a chroot, unless it's a dchroot and you're a packager ;) Yeah, it is perhaps quite possible for a uid-0 process to get out of the chroot, which is why a chroot must be properly configured in the first place, having just the bare metal to run the allowed apps per the site's policy. Again, a good /etc/sudoers can help. I also hear on the grapevine that there's a fakeroot-aware sudo in the works too... As for the nowhere-land bits, I have to agree with you, my bad :/ I'm used to building chroots within chroots within chroots (or, more precisely, pbuilder in dchroot in dchroot)... don't ask me why ;P -- Zak B. Elep || http://zakame.spunge.org [EMAIL PROTECTED] || [EMAIL PROTECTED] 1486 7957 454D E529 E4F1 F75E 5787 B1FD FA53 851D
_________________________________________________ Philippine Linux Users' Group (PLUG) Mailing List [email protected] (#PLUG @ irc.free.net.ph) Read the Guidelines: http://linux.org.ph/lists Searchable Archives: http://archives.free.net.ph
