Slashdot Mirror

← Back to Stories (view on slashdot.org)

When Not to Use chroot

Posted by CowboyNeal on from the trust-no-one dept.

Hyena writes "Linux guru Alan Cox is quoted as saying 'chroot is not and never has been a security tool' in a KernelTrap article summarizing a lengthy thread on the Linux Kernel mailing list. The discussion began with a patch attempting to 'fix a security hole' in the Unix chroot command, trying to improve the ability of chroot to contain a process. When it was pointed out that people have been using chroot as a security tool for years, another kernel hacker retorted, 'incompetent people implementing security solutions are a real problem.' A quick search on the terms 'chroot+security' quickly reveals that many people have long thought (wrongly) that chroot's purpose was for improving security."

1 of 407 comments (clear)

  1. Re:Then what is it for? by soloport · · Score: 5, Interesting
    What's it for?

    https://portal.mytesting.org:8080/ (including)
    * tinyHTTP (AppWeb, Apache, etc.)
    * SQLite (MySQL, Postgres, etc.)
    * [chroot-path-0]/www/html/*
    * Other ([chroot-path-0]/usr/lib, [chroot-path-0]/bin, etc.)
    and repeat...

    https://my-test-env.org:8081/

    https://my-test-env.org:8082/

    https://my-test-env.org:8083/

    https://my-test-env.org:8084/ Next, bind /proc to all 5. Then make a script to easily update them from SVN. Done.

    Now you have 5 chroot'ed web environments to help your test team (of 5) speed up Alpha testing. May be fraught with bad security? That's not the point.