On Sun, 2010-08-01 at 17:41 -0700, Gordon Messmer wrote: > On 08/01/2010 01:44 PM, JohnS wrote: > > It *WILL* work It is called "Outside to In"&& mount -o bind will also. > > You previously described symlinking "out" to the root filesystem, which > is impossible. Symlinks cannot resolve to files outside of a chroot > environment. Hard links can. lol > It is, however, possible to create a symlink in the primary root > filesystem which points to a file inside a tree used for chroot, if that > is what you mean by "outside to in". In that case, your previous post > was simply unclear. Correct yes. > > The difference depends on what is exactly the person needs. IE (which > > way). It will also allow a "Jail Break" Out& In. So security goes out > > the window. In effect Zero Day here we are. > > Symlinks do not allow you to break out of a chroot. In fact, chroot > isn't a security mechanism. chroot will confine any non-root process, > but any root process can escape a chroot simply by setting its cwd to > the root directory and then calling chroot() to any directory. The > process will then have a cwd outside its own root filesystem, and can > access the filesystem outside of the path it was originally using as its > chroot. Most people choose to refer to chroot as a secure means of running a service which is simply not true. It is known in the past that non root services can jail break out and can break into the jailed root. The only good I have ever seen from chroot is building a OS from the ground up. It will only ever be as secure as the person configuring it. > The term "zero day" normally describes a software exploit which was not > previously known. I don't believe it applies to anything you described. True and there are new ones every day don't be fooled. What good is the bind service running in a chroot when you get cache poisoned? Your patches up to date? That may not even help. John