1 |
Hi Vaeth, |
2 |
on Tue, Sep 16, 2008 at 07:14:48PM +0200, you wrote: |
3 |
> > In addition, the default rsyncd configuration with Gentoo uses a chroot |
4 |
> > jail. |
5 |
> |
6 |
> Also a chroot jail is not a security feature: There are several ways known |
7 |
> how to break out. |
8 |
|
9 |
Huh? In the case of NAT it's reasonable to say it's not a security |
10 |
feature---it's a kludge that happens to increase security somewhat in |
11 |
the standard case. But there's only one reason I can see why you'd use a |
12 |
chroot environment *except* for security and that's to have more than |
13 |
one set of system binaries active at the same time for different |
14 |
applications. Which is normally a pretty bad kludge in itself (not that |
15 |
I hadn't done it, to avoid endless library woes on a Debian system that |
16 |
absolutely must be kept on Woody... :-S), I'd say the vast majority of |
17 |
chroot jails are there for nothing else but security. |
18 |
|
19 |
cheers, |
20 |
Matthias |
21 |
-- |
22 |
I prefer encrypted and signed messages. KeyID: FAC37665 |
23 |
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 |