> > I always had some doubts about the real protection that a chrooted
> > environment can give. As you know, there is a lot of things that can be
> > done in this environment, supposing you can bring some binaries in it:
> > connect to other ports using the loopback interface, connect to internal
> > hosts etc. These days I was talking about this with a list member, so I
> > tried on a linux box to mount the /proc filesystem in a chrooted
> > environment, and it worked. I had immediate access to all the process
*Root* can trivially break out of chroot() jails in many ways,
including by mounting /proc and by creating and messing with device
special files. Ordinary users, on the other hand, can do almost
nothing to the rest of the system if the jail is set up well; unless
I'm overlooking something, the only potentially risky power they have
in that case is the ability to make network connections originating at
that host.
-- Aaron M. Ucko <amu@mit.edu> (finger amu@monk.mit.edu) [Stark raving sane]