Re: prevent breaking a chroot() jail?

Martin Josefsson (gandalf@wlug.westbo.se)
06 Jul 2002 00:26:30 +0200


On Fri, 2002-07-05 at 23:00, David Wagner wrote:

> Chroot is a lot better than nothing, but it doesn't provide a
> secure jail, especially not for root. However, the following
> tools are intended to provide a secure jail, and may be of interest
> to you: SubDomain (http://www.immunix.org/subdomain.html), Janus
> (http://www.cs.berkeley.edu/~daw/janus/), and BSD's jail() system call
> come to mind. Also, may I point you to the Linux Security Modules project
> (http://lsm.immunix.org/)? I think you may find it of interest.

I havn't seen vserver mentioned in this thread.

http://www.solucorp.qc.ca/miscprj/s_context.hc

It disables a lot of capabilities (configurable) and other stuff.
Worth taking a look at.

-- 
/Martin

Never argue with an idiot. They drag you down to their level, then beat you with experience. - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/