In <E12Q8GR-0005UT-00@the-village.bc.nu> Alan Cox (alan@lxorguk.ukuu.org.uk) wrote:
>> program to execure cgi script in sandbox. And without devfs, procfs and
>> ipcfs it's DOABLE: you can put all needed libraries as hardlinks
>> there. Without // trick (or rather /../ trick -- looks much saner to me)
>> it's doable as well. WITHOUT changes for each and every program when new
>> netfs or whjatever is implemented.
AC> Unfortunately you've already introduced a security hole in wu.ftpd if you
AC> dont modify it
AC> put //ipc/statusfile
AC> stomp... and ipc may contain stuff you dont want outsiders reading. I'd actually
AC> like chrooted stuff not be able to access the master /ipc. In fact being able
AC> to mount further /ipc namespaces inside chrooted environments which are
AC> seperate from the main one would be the good thing
Agree 100% now (now, when Viro said that such tricks will be possible "in not
so distant future": not 2000 and perhaps not even 2001 year but world will not
end neither in 2000 nor 2001 year as well).
AC> Thats another step into supporting partitioning of applications on Linux
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/
This archive was generated by hypermail 2b29 : Tue Mar 07 2000 - 21:00:10 EST