[prev in list] [next in list] [prev in thread] [next in thread]
List: klik-devel
Subject: Re: [klik-devel] strace question
From: Lionel Tricon <lionel.tricon () free ! fr>
Date: 2008-01-27 22:05:26
Message-ID: 200801272305.26532.lionel.tricon () free ! fr
[Download RAW message or body]
On Thursday 24 January 2008 20:21:58 Ng, Cheon-woei wrote:
> Hi Lionel,
> Thank you again for your high level explanations.
>
> By hacking fakechroot to give direct access to /proc, /dev, etc, would it
> create security holes? Have you add any security measures?
Hi Woei,
Well, if you consider how fakechroot works and that it's not really a true
jail since you can go outside the jail only by issuing "unset LD_PRELOAD", i
don't think it's really an issue.
There is an another project, called Fakeroot-ng, that could be a good
replacement for fakechroot since it's ptrace based and aim the same target.
This project could be much more interresting from a security standpoint even
if, for the moment, it's really at a early stage and not really usable.
But consider as well that these directories are common
directories : /proc, /dev, /tmp and /var/run. For all the others, you need to
deal with the fuse layer and our sandbox feature.
But if you can assure that a process cannot leave the jail, it could be a very
interresting way to test and exec applications without any fear. But it's not
the main concern at the moment.
> Woei
Lionel
_______________________________________________
klik-devel mailing list
klik-devel@kde.org
https://mail.kde.org/mailman/listinfo/klik-devel
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic