[prev in list] [next in list] [prev in thread] [next in thread] 

List:       klik-devel
Subject:    Re: [klik-devel] strace question
From:       Lionel Tricon <lionel.tricon () free ! fr>
Date:       2008-01-27 22:05:26
Message-ID: 200801272305.26532.lionel.tricon () free ! fr
[Download RAW message or body]

On Thursday 24 January 2008 20:21:58 Ng, Cheon-woei wrote:
> Hi Lionel,
> Thank you again for your high level explanations.
>
> By hacking fakechroot to give direct access to /proc, /dev, etc, would it
> create security holes?  Have you add any security measures?

Hi Woei,

Well, if you consider how fakechroot works and that it's not really a true 
jail since you can go outside the jail only by issuing "unset LD_PRELOAD", i 
don't think it's really an issue.

There is an another project, called Fakeroot-ng, that could be a good 
replacement for fakechroot since it's ptrace based and aim the same target. 
This project could be much more interresting from a security standpoint even 
if, for the moment, it's really at a early stage and not really usable.

But consider as well that these directories are common 
directories : /proc, /dev, /tmp and /var/run. For all the others, you need to 
deal with the fuse layer and our sandbox feature.

But if you can assure that a process cannot leave the jail, it could be a very 
interresting way to test and exec applications without any fear. But it's not 
the main concern at the moment.

> Woei
Lionel
_______________________________________________
klik-devel mailing list
klik-devel@kde.org
https://mail.kde.org/mailman/listinfo/klik-devel
[prev in list] [next in list] [prev in thread] [next in thread]