Hi David, This solution looks good. I did not test, but I do have one minor comment after glancing at the code:
@@ -2662,7 +2700,14 @@ check_cmd_access(const char *command, const char > *opt) > * only requires X_OK to function on Unix - a scenario not unlikely to > * be seen on suid binaries. > */ > - return_code = check_file_access(CHKACC_FILE, argv.argv[0], X_OK, opt); > + if (chroot) > + { > + return_code = check_file_access_chroot(chroot, CHKACC_FILE, > argv.argv[0], X_OK, opt); > + } > + else > + { > + return_code = check_file_access(CHKACC_FILE, argv.argv[0], X_OK, > opt); > + } > This if seems redundant here, as chroot is checked by check_file_access_chroot itself. Furthermore, for the other occurences of check_file_access you stick to just replacing it with check_file_acess_chroot. I would suggest to do that here too. -Steffan