> On Mon, Jul 20, 2015 at 12:04:43PM -0400, Ted Unangst wrote: > > chroot is probably the best comparision. yes, we provide a chroot(1), but > There is no chroot(1). :p > > > practically nothing uses it. everything is instead calling chroot(2) on its > > own. the things that do use chroot(1) are doing so for specialized namespace > > reasons, not for sandboxing. > > I have a huge counter-example: dpb. > Specifically, chroot(8) does the nice usercontext thingies that would be > cumbersome to do from perl.
chroot was only used as a partial example. I have the same concerns with tame(1). First, it is very premature. Secondly, TAME_EXEC is a very nasty semantic. Most importantly the purpose of tame is to allow a programmer to seperate their initial-setup from the main-loop processing. By tagging the unix feature-set into a simple "effect" classifications, it also guides the programming of general purpose unix tools, guiding them towards privdrop, privsep; or if they have no specific priv-slit happening, at minimum it constraints most to files-only or network-only behaviours. >From the outside, a regular user is not going to know the system features and semantics that a program uses, not in a detailed fashion. "tame -a firefox doesn't work. Is tame broken?" We don't need that kind of grief.
