What chroot() is really for
Posted Oct 5, 2007 20:29 UTC (Fri) by wahern
In reply to: What chroot() is really for
Parent article: What chroot() is really for
That chroot doesn't work? I can also point you to many advisories that have shown that chroot also contained an exploit. OpenSSH, BIND, Apache (OpenBSD), OpenNTP, djbdns, and qmail all use chroot, and the use of chroot has mitigated the impact of serious and widespread code exploits.
chroot is not _the_ answer. In all this debate, either here or on LKML, I have yet to see anybody mistakingly suggest that chroot _alone_ is a sufficient measure. All of these straw men arguments that say that chroot shouldn't be used because chroot _alone_ isn't sufficient are fallacious.
I'm only sticking to my guns because these forums are archived, and I don't want to see a student or junior engineer come to me in 10 years and say they didn't use chroot, though they trivially could have, because they were told it was useless.
to post comments)