chroot

[Jos Vos]

On Wed, Nov 19, 2003 at 01:10:03AM -0500, Justin Zygmont wrote:

> I don't understand why this command is really necessary, if you need 
> chroot capability, then the safer way would be to set their shell to the 
> file that contains the script.  

Not true.  Chroot-ing Apache, for example, makes that someone
using a hole in Apache still can't do anything outside its root.
Most ftp daemons chroot internally for guest users too.

Ideally, you could run any service in a separate chroot, but setting
it up (with all the needed shared libs and tools) is non-trivial.

See <http://www.onlamp.com/pub/a/bsd/2003/01/23/chroot.html> for
an example, maybe that gives a better view of this often
underestimaded UNIX feature, existing since ages.

-- 
--    Jos Vos <jos at xos.nl>
--    X/OS Experts in Open Systems BV   |   Phone: +31 20 6938364
--    Amsterdam, The Netherlands        |     Fax: +31 20 6948204