From: Gregory BELLIER <gregory.bellier@gmail.com>
To: Gerd Stolpmann <info@gerd-stolpmann.de>
Cc: caml-list@inria.fr
Subject: Re: [Caml-list] How does chroot work ?
Date: Sun, 19 Dec 2010 00:01:52 +0100 [thread overview]
Message-ID: <4D0D3D60.2030205@gmail.com> (raw)
In-Reply-To: <1292700715.22147.324.camel@thinkpad>
Le 18/12/2010 20:31, Gerd Stolpmann a écrit :
> Am Samstag, den 18.12.2010, 18:09 +0100 schrieb Gregory Bellier:
>> Hi !
>>
>> For security reasons, I would like to chroot a child process but I
>> can't do it unless this process is root.
>> How does it work exactly ?
> If everybody could chroot it would be possible to change passwords and
> do other privileged operations in the new chroot (it depends on the OS
> how dangerous this really is, but POSIX assumes it is dangerous).
> Because of this it is restricted to root.
>
> Furthermore, chroot is not designed for enhancing the security. A root
> process can undo chroot (look it up in the web, it's tricky but
> possible). If a normal user could chroot, everybody could also break
> out.
>
> So, usually you would start a new process as root, establish the chroot
> there, and setuid to a non-privileged user for doing the real work. If
> you cannot start as root, you could alternatively also set the setuid
> bit of the executable. However, running a process with setuid root adds
> new security dangers, so it is questionable whether you can improve the
> overall security by such means.
>
> I'd advise not to use chroot unless you exactly understand what you are
> doing.
>
> Gerd
Hi Gerd and thank you for your email.
Yes, I know what I'm doing.
Regards,
Gregory.
prev parent reply other threads:[~2010-12-18 23:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-12-18 17:09 Gregory Bellier
2010-12-18 19:31 ` [Caml-list] " Gerd Stolpmann
2010-12-18 23:01 ` Gregory BELLIER [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4D0D3D60.2030205@gmail.com \
--to=gregory.bellier@gmail.com \
--cc=caml-list@inria.fr \
--cc=info@gerd-stolpmann.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox