On Fri, Jul 11, 2014 at 01:24:01PM +0200, Eric Sesterhenn wrote: > Hi, > > on my debian installation, the ovsdb-server is running as root. Since I > prefer to add additional mitigations for running services, I was looking > into putting the ovsdb-server into a chroot and implemented it in the > following three patches. > > These patches are send as a request for comments, since there are still > some issues left. The first patch introduces a file descriptor leak, and > some testcases fail when the chroot is enabled (these are 1293 1294 1297 > 1298 1299 1301 ). If --run-command is passed, the chroot is not active, > since the ovsdb-server requires to access further files. > > Is this something worthwile pursuing or are there reasons, why chrooting > was not already implemented for ovsdb-server?
I liked the idea as well. The main_loop refactoring is a nice thing even without the series, I find the code easier to understand. I don't think there is a need to pre-open files in /dev since they usually are available inside of the chroot, right? I did a quick test with mock and this is what I found in there: <mock-chroot>[root@t520 /]# ls /dev console full ptmx random stderr stdout urandom fd null pts shm stdin tty zero It's been a while since I worked with chroots though. I also didn't understand why chroot to a writeable directory isn't allowed. Thanks, fbl _______________________________________________ dev mailing list dev@openvswitch.org http://openvswitch.org/mailman/listinfo/dev
