Re: chrooting daemons
From: dark@xs4all.nl (Richard Braakman)
> It might be even easier to link the daemon statically.
No, the small security or filesystem integrity gain of using a static-linked
binary is not worth the cost of having a second copy of libraries in its
working set. The developers have discussed this several times.
However, it makes sense to have programs run in a chroot context and drop
privileges if they can. Perhaps we should think about some standard facility
to do this immediately after a daemon has initialized itself and before it
starts accepting input from outside.
Thanks
Bruce
--
Can you get your operating system fixed when you need it?
Linux - the supportable operating system. http://www.debian.org/support.html
Bruce Perens K6BP bruce@debian.org NEW PHONE NUMBER: 510-620-3502
Reply to: