> > IMHO, devfs in chroot environment, is defeating the purpose
> > because if you have access to raw devices, like the device
> > your chroot dir is on,
> > you can easily mount that device again, and voila you have
> > access to
> > the full tree, if you
>
> You need to be root to mount the device, and as root you can
> also create the device special file. A chroot environment
> does not reliably guard against root breaking out of it.
That's not completly wrong nor is it completly true. :)
You _CAN_ guard yourself from root's breaking out of some chroot environment.
Using grsec (www.grsecurity.net). Denying double-chroots, creation of special
files within chroot-environments and if you like it... Deny mounting within
chroot. :)
There are many options provided - just use 'em. :)
Best regards,
Oliver
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Thu Aug 07 2003 - 22:00:32 EST