On Wed, 26 Nov 2003 02:55:02 -0500, Enrico Scholz wrote > Please not that the current 'chmod 000' hack is not affected by this > attacks since it is a fixed barrier which can not be bypassed. > > Therefore, it will not make sense to hope on a magic chrootsafe() syscall > for vservers. Alternative approaches like CLONE_NEWNS in combination with > pivot_root() or 'mount --rbind <vdir> /' (suggested by Rik van Riel) must > be investigated to find better methods.
What about using a new attribute (instead of 000) to tag a directory permanently as a barrier. I have tried that a while ago to get rid of the problems with 000. I was looking for a way to prevent access to .. while providing forward access. Did not find anything. too bad for chrootsafe. --------------------------------------------------------- Jacques Gelinas <[EMAIL PROTECTED]> vserver: run general purpose virtual servers on one box, full speed! http://www.solucorp.qc.ca/miscprj/s_context.hc _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
