> There was a discussion a while back on comp.security.unix (?)
> about whether it was possible to allow chroot() for ordinary
> users. The general conclusion seemed to be that it might
> be possible so long as chroot'd processes are not permitted
> to execute any suid programs. But there may be other nasty
> security implications to this ... Can anyone think of any
> objections? It would certainly be useful to allow, say, users'
> cgi-bin scripts to chroot to a safe environment to reduce
> security risks.
cgi-bin scripts running as "nobody" (or httpd, or whatever you've
configured your server to run as) are generally a bad thing. To get
around that you've got to have root at some point (i.e. suexec,
cgiwrapper), so you might as well chroot in that wrapper.
Dean