Re: Complete chroot environment?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 2007-12-27 at 21:43 +0900, John Summerfield wrote:
> Tom Horsley wrote:
> > I've been experimenting with chroot to switch to an
> > alternate root partition and "do stuff" without
> > actually having to reboot to that alternate OS.
> > 
> > I see that none of the special filesystems seem to
> > be created as part of the ordinary chroot command, yet
> > things like the bind-chroot rpm does manage to create
> > a more complete environment for named to run in
> > (with populated /dev and /proc and wot-not).
> > 
> > Is there a handy tool somewhere to duplicate all the
> > special filesystems in a chroot environment?
> > 
> > Or should I just look at bind-chroot in more detail
> > and steal what it does?
> > 
> The general idea of chroot is to provide a slightly more secure 
> environment than the base system.
> 

Actually the general ideea of chroot is to provide base system with an
extra layer of security. E.g. chrooted bind: if one succeed to
compromise bind, cannot compromise the base system once he is isolated
in the chrooted environment.
Of course, there are ways to surpass chroot as well, but this is an
entirely other story.


> bind-chroot has what it needs; ordinarily one doesn't want devices in 
> the chroot environment (a few exceptions such as /dev/{null,zero} are 
> needed, but certainly not /dev/sda).
> 
> I would contemplate an alternative approach such as using xen or, if h/w 
> virtualisation is available. kvm.
> 
> -- 
> 
> Cheers
> John
> 
> -- spambait
> 1aaaaaaa@xxxxxxxxxxxxxxxx  Z1aaaaaaa@xxxxxxxxxxxxxxxx
> -- Advice
> http://webfoot.com/advice/email.top.php
> http://www.catb.org/~esr/faqs/smart-questions.html
> http://support.microsoft.com/kb/555375
> 
> You cannot reply off-list:-)
> 

OTOH, you may want to look at jailkit
(http://olivier.sessink.nl/jailkit/) or even LFS
(http://www.linuxfromscratch.org/) if you want to play around with
chroot.


HTH,



Calin

=================================================
Men take only their needs into consideration -- never their abilities.
-- Napoleon Bonaparte

-- 
fedora-list mailing list
fedora-list@xxxxxxxxxx
To unsubscribe: https://www.redhat.com/mailman/listinfo/fedora-list
[Index of Archives]     [Older Fedora Users]     [Fedora Announce]     [Fedora Package Announce]     [EPEL Announce]     [Fedora Magazine]     [Fedora News]     [Fedora Summer Coding]     [Fedora Laptop]     [Fedora Cloud]     [Fedora Advisory Board]     [Fedora Education]     [Fedora Security]     [Fedora Scitech]     [Fedora Robotics]     [Fedora Maintainers]     [Fedora Infrastructure]     [Fedora Websites]     [Anaconda Devel]     [Fedora Devel Java]     [Fedora Legacy]     [Fedora Desktop]     [Fedora Fonts]     [ATA RAID]     [Fedora Marketing]     [Fedora Management Tools]     [Fedora Mentors]     [SSH]     [Fedora Package Review]     [Fedora R Devel]     [Fedora PHP Devel]     [Kickstart]     [Fedora Music]     [Fedora Packaging]     [Centos]     [Fedora SELinux]     [Fedora Legal]     [Fedora Kernel]     [Fedora OCaml]     [Coolkey]     [Virtualization Tools]     [ET Management Tools]     [Yum Users]     [Tux]     [Yosemite News]     [Gnome Users]     [KDE Users]     [Fedora Art]     [Fedora Docs]     [Asterisk PBX]     [Fedora Sparc]     [Fedora Universal Network Connector]     [Libvirt Users]     [Fedora ARM]

  Powered by Linux