[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: chroot() break



On Fri, May 25, 2001 at 02:48:48PM +0000, Uwe Ohse wrote:

> Jail just causes a broken application to not break other parts of the
> system (unless jail itself is broken). The application in question

As far as I know, that's exactly what chroot does, only jail tries to be
stronger.  named is chrooted in case it gets hacked, right?

I'm a newbie; I don't know much.  But the argument so far is unconvincing.

> > But if it exists in other systems why not in OpenBSD ?
> 
> Jail seems to be a complicated subsystem with high influence all other
> the operating systems code. This is not a modification which is done
> lightly, and it's going to have zillions of side effects. OpenBSD
> has, until now, choosen to keep things simple.

This is more convincing.  

I'd note that "jail is in principle a good idea, but hard to do and not worth
developer time at the moment" would also be convincing.  But when we see
FreeBSD create what looks like a stronger chroot, and we ask why OpenBSD
doesn't copy this stronger chroot, especially as OpenBSD has no objection to
using chroot itself, then asserting that jail doesn't do any good isn't
convincing.  

-xx- Damien X-) 



Visit your host, monkey.org