| 1 |
Hi Vaeth, |
| 2 |
on Tue, Sep 16, 2008 at 07:14:48PM +0200, you wrote: |
| 3 |
> > In addition, the default rsyncd configuration with Gentoo uses a chroot |
| 4 |
> > jail. |
| 5 |
> |
| 6 |
> Also a chroot jail is not a security feature: There are several ways known |
| 7 |
> how to break out. |
| 8 |
|
| 9 |
Huh? In the case of NAT it's reasonable to say it's not a security |
| 10 |
feature---it's a kludge that happens to increase security somewhat in |
| 11 |
the standard case. But there's only one reason I can see why you'd use a |
| 12 |
chroot environment *except* for security and that's to have more than |
| 13 |
one set of system binaries active at the same time for different |
| 14 |
applications. Which is normally a pretty bad kludge in itself (not that |
| 15 |
I hadn't done it, to avoid endless library woes on a Debian system that |
| 16 |
absolutely must be kept on Woody... :-S), I'd say the vast majority of |
| 17 |
chroot jails are there for nothing else but security. |
| 18 |
|
| 19 |
cheers, |
| 20 |
Matthias |
| 21 |
-- |
| 22 |
I prefer encrypted and signed messages. KeyID: FAC37665 |
| 23 |
Fingerprint: 8C16 3F0A A6FC DF0D 19B0 8DEF 48D9 1700 FAC3 7665 |
Archives