Martin wrote:
>
> > That's a nice try, but the example is a C program that is calling the
> > chroot() system call, not the binary in /usr/sbin.
>
> rainboooows! ;)
... and here I was expecting you to say "but how do you compile a C
program in a chrooted environment", and I was going to say "well okay,
you do have a point, so the end result would be the same chicken/egg
problem with one needing a binary to get out of the chroot", which
either Terry, Crossfire or Angus would rebuke further... etc, etc.
> so, how do you protect a machine at all then? are we just fooling
> ourselves that a chroot()ed bind is any safer ??
I'd imagine that a chrooted bind that isn't running as root would be
safer.
> i gather the best security we get is something that chroot()s, drops
> it's privelages and then doesn't give up a root shell when exploited...
Allowing someone to get root access is bad. Don't let it happen.
--
SLUG - Sydney Linux User Group Mailing List - http://slug.org.au/
More Info: http://slug.org.au/lists/listinfo/slug
