> -------------------
>
> > Not knowing about *BSD's jails I'm not sure if you want to
> > restrict a user to only one part of the filesystem why not use
> > chroot?
>
> Because root can break out of a chroot().
>
> Trivially.
>
> It's not related to devices, like some seem to think... the method is
> even simpler:
>
> #define MY_JAIL_PATH "/whatever/you/want"
>
> chdir( MY_JAIL_PATH );
> chroot( MY_JAIL_PATH );
> /* process is now supposedly jailed */
> /* can we get out? sure.... we have the keys cause we're root.... */
> mkdir( MY_JAIL_PATH "/escape" ); /* did I mention I love ANSI C's
> string concatenation? */
> chroot( MY_JAIL_PATH "/escape" );
alright, but say you had a normalish path
$ echo $PATH
/usr/local/sbin:/usr/sbin:/sbin:/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/local/sbin:/usr/bin/X11:/usr/X11R6/bin:/root/bin
and chroot in a particular directory
$ which chroot
/usr/sbin/chroot
and i chroot to "/whatever/you/want", when i try to chroot again, won't
it really be using /whatever/you/want/usr/sbin/chroot (or any other
chroot it finds first in my path) instead of /usr/sbin/chroot. (feel
quite free to step in here and point out flaws in my reasoning :)
so if i didn't put a chroot in /whatever/you/want or it's
subdirectories, you can't chroot again... until, of course you download
your own chroot binary and run that instead!
:P
later
marty
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
