On Wed, Feb 08, 2017 at 08:27:41PM -0500, Rich Freeman wrote > As you can see, there is limited ability for even root to accidentally > mess something up. If you bind-mount /dev in a regular chroot > (without a hardening technology on top) and something running as root > in the chroot tries to write to /dev/sda, then it will have the > obvious result. Note that Linux containers are not yet 100% secure so > this should be viewed as a protection against accidental damage, not > as equivalent to a VM. Non-root processes inside a container are > considered to be pretty secure I believe, and I believe root is > supposed to be OK if it is running in a container in a separate user > namespace (so it is non-root on the host).
If building Pale Moon inside a chroot as a regular user is a security issue... then what can I say about doing personal 64-bit Pale Moon builds directly on my desktop (*NOT* chrooted) as a regular user??? Or emerging using the Pale Moon overlay??? Or emerging Firefox, from which Pale Moon is forked? Unlike my personal build, which I install in $HOME, emerge uses root-level permissions to install the binaries in directories which can only be written to by root. -- Walter Dnes <waltd...@waltdnes.org> I don't run "desktop environments"; I run useful applications
