[ On Thursday, August 10, 2000 at 22:39:21 (-0400), Justin Wells wrote: ]
> Subject: Re: patch to make CVS chroot
>
> On Thu, Aug 10, 2000 at 12:56:24PM -0400, Greg A. Woods wrote:
> > Not necessarily. It has been independently shown many times that it is
> > very difficult to correctly configure a safe chroot environment for
> > anything but the most trivially simple uses.
>
> It's not difficult. There are only a few things to remember:
>
> 1) don't put any setuid binaries in the chroot area
wrong. don't put *any* binaries in the chroot area -- you've got to
carry all your capabilities in the one process that's chrooted!
> You can give away shells inside the chroot area and a non-root user
> won't be able to break out unless you also put a setuid binary there.
I'm not talking about "breaking out" -- I'm talking about doing
unaccountable damage to the integrity of your repository and perhaps
unrepairable damage to the reputation of some other unsuspecting and
more trustworthy user.
--
Greg A. Woods
+1 416 218-0098 VE3TCP <[EMAIL PROTECTED]> <robohack!woods>
Planix, Inc. <[EMAIL PROTECTED]>; Secrets of the Weird <[EMAIL PROTECTED]>
