>>>>> "Andrew" == Andrew Brown <atatatatatdot.net> writes:
>> (I do not even think that the fchdir() checks should be done. I've used
>> used the fact that you can fchdir() out of the chroot in some applications)

    Andrew> from vfs_syscalls.c:

    Andrew> so you can't do that here. not since march '99.

  Yes, I know.
  I did this in... 1995 on a different OS.
  I understand why we did that. I do not disagree.

  I claim that we should instead introduce a different a la jail(2) that does
this, and also more.

] ON HUMILITY: to err is human. To moo, bovine. | firewalls [
] Michael Richardson, Sandelman Software Works, Ottawa, ON |net architect[
] mcrsandelman.ottawa.on.ca http://www.sandelman.ottawa.on.ca/ |device driver[
] panic("Just another NetBSD/notebook using, kernel hacking, security guy"); [

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]