On Sat, Sep 12, 2009 at 06:43:24PM +0000, Florian Weimer wrote: > The reason is that more and more libc features depend on availability > of /proc. This means that you have to mount /proc within the chroot, > which somewhat defeats the exercise of chrooting.
Yes. You also might need /sys and /dev depending upon what you are doing. libc support files and NSS modules might also be needed; setting up a correctly functioning chroot can be hard nowadays, since there are all these details. This is the reason I made schroot mount /proc, /sys and bind mount /dev by default. > On the other hand, > it's not totally clear that chrooting is an effective defense anyway > (I haven't got enough attack data to make a qualified judgment). It's only virtualising the filesystem. Devices, shared memory, semaphores, open files etc. are still shared with the host, so it's only providing minimal protection. > So what's the response to bugs like #545808? /proc-less chroots are > simply unsupported? IME, yes. OTOH, I think that GNU libc should not be completely reliant upon /proc or /sys, and should make a best effort to function correctly in its absence. Regards, Roger -- .''`. Roger Leigh : :' : Debian GNU/Linux http://people.debian.org/~rleigh/ `. `' Printing on GNU/Linux? http://gutenprint.sourceforge.net/ `- GPG Public Key: 0x25BFB848 Please GPG sign your mail. -- To UNSUBSCRIBE, email to debian-devel-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
