chroot-jail ?? whats this
Chris Phillips - Member Technical Staff
chrisph at loon.east.sun.com
Tue Feb 29 16:32:19 UTC 2000
Harold Pritchett <harold at uga.edu> wrought:
|Date: Tue, 29 Feb 2000 11:19:20 -0500
|Ralf Hildebrandt wrote:
|> On Tue, Feb 29, 2000 at 12:39:00PM +0800, Lawrence Chan wrote:
|> > When setting up jails with chroot, how many of shared files can be linked
|> > or, would all needed files have to be duplicated below the jail root so as
|> > not to defeat the security provided by chroot?
|> You cannot link them, since THE ORIGINAL FILES ARE NOT VISIBLE when in
|> chroot-jail! So you have to copy them.
|Actually, you should be able to put the originals in the /jail root and
|link them to the real root locations. You just can't go the other way.
(I think also that you can "share' them via hard links if they are
in the same fs --- )
_But I wouldn't!_
Consider that you have built the "chroot" env
to isolate this app/daemon from the "real" system. If by some means
root is acquired in the "chroot" env, then it may be possible to alter the
files shared between the "chroot" env and the real env in such a way as
to allow a root access in the real env. I would strive to make the
2 environments as independent as possible.
|Harold
Cheers!
Chris
-- Woda: "write once, debug anywhere" Hong Zhang
| Chris Phillips - Sun JTG CTE Engineer, Solaris Production JVM |
| mailto:Chris.Phillips at Sun.Com (781)442-0046/x20046 |
--"EPIC stands for Expects Perfectly Intuitive Compilers" P. Bannon
More information about the bind-users
mailing list