What chroot() is really for
Posted Oct 4, 2007 21:09 UTC (Thu) by ckelso
In reply to: What chroot() is really for
Parent article: What chroot() is really for
The only valid argument for using chroot is that you are ignorant or distrusting of your filesystem, user and group permissions. chroot isn't adding anything to the security of the daemon. Having a daemon running with a low access system account, what is the difference between having it in a chroot and not having it there? That's simple, access to things on the system that aren't known secure. It doesn't enhance your applications security at all. It mitigates your administrative incompetence.
I don't disagree with the rule of least access. I just don't agree that chroot is enhancing the security of the daemon. If the daemon itself is insecure, you should simply not have it on your system, chroot or not.
to post comments)