> I've reread the whole thread but I don't understand how fch* and fexec* > differ. > As far as I can see all they cause the same sort of problems. > So, a solution should be the same for all of them.
AFAIK (i didn't write a test), fchroot() outside of the chroot is already disallowed by the kernel. this, among several other additional changes our chroot support has, are why netbsd chroots are a better base for security than other platforms chroots. .mrg.
