On Tue, Dec 04, 2012 at 11:42:04PM +0700, Robert Elz wrote:
>
> Even chroot isn't a problem, unless you're tempted to view it as some
> kind of security mechanism. It really isn't - it is just namespace
> modification. Sure, by modifying the filesystem namespace a bunch
> of simple security attacks seem easy to avoid (and it does provide
> some simple measure of protection) but as a true security mechanism
> it really doesn't come close, and arguing against feature X or Y
> because some tricky application of it can defeat chroot "security"
> is just plain insane.
Let's not lose sight of the fact that chroot can most certainly
compromise security if used improperly even if you are only using
it as a namespace mechanism, though. So, there are most definitely
security considerations that must be taken into account even if
you think that chroot is not a security mechanism.
--
Roland Dowdeswell http://Imrryr.ORG/~elric/
