In <4a140dad.6020...@yahoo.com>, Marc Shapiro wrote: >Boyd Stephen Smith Jr. wrote: >> In <4a125119.8030...@yahoo.com>, Marc Shapiro wrote: >>> I then chrooted into /mnt/debinst, again, and did: >>> cd \dev >>> MAKEDEV generic >> Instead of this, since you have a running Linux system, I would suggest >> doing (from outside the chroot): >> mount -o rbind /dev /mnt/debinst/dev >That is probably what I have done before, but the current docs only say >that it can be done, not what the actual command is. They also >recommend against it.
That's probably because the bind mount gives the chroot significant access to the host. Specifically, unlinking a device from /dev inside the chroot will also unlink it from /dev outside the chroot, which could cause problems. I don't mind doing the mind mount, because much more destructive acts can be done as root inside the chroot if you don't have the filesystem it is on mounted 'nodev' and doing that generally results in a non-functional chroot. As far as destructive acts, I'm thinking mknod for every possible hd*, sd*, md*, and dm* device plus urandom and then writing the contents of urandom over all the other devices. chroots are only as secure as your method of dropping permissions after doing the chroot() system interface call. -- Boyd Stephen Smith Jr. ,= ,-_-. =. b...@iguanasuicide.net ((_/)o o(\_)) ICQ: 514984 YM/AIM: DaTwinkDaddy `-'(. .)`-' http://iguanasuicide.net/ \_/
signature.asc
Description: This is a digitally signed message part.
