Hi, on my debian installation, the ovsdb-server is running as root. Since I prefer to add additional mitigations for running services, I was looking into putting the ovsdb-server into a chroot and implemented it in the following three patches.
These patches are send as a request for comments, since there are still some issues left. The first patch introduces a file descriptor leak, and some testcases fail when the chroot is enabled (these are 1293 1294 1297 1298 1299 1301 ). If --run-command is passed, the chroot is not active, since the ovsdb-server requires to access further files. Is this something worthwile pursuing or are there reasons, why chrooting was not already implemented for ovsdb-server? Best Regards, Eric Sesterhenn -- LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649 Geschäftsführer: Oliver Michel, Sven Walther _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
