On Tue, 2011-09-06 at 13:02 -0400, Alphonse Hansel Anthony wrote: > Hi, > What is the difference between chroot & pivot_root. > They don't seem obvious based on the man pages apart from the below > mentioned > caveats.
> 1) Inherited Open file descriptors, have to be explicitly closed. > 2) Does not change CWD of the process, which can be overcome by doing a > chdir before & after chroot call. > Any information on this would be useful. Operationally and functionally these two things would appear to be very very similar and they do similar things. The change the root pointer for "/" to point at a new location. There are some subtle differences in there that I will leave to others to describe. One not so subtle difference is that, if you execute a pivot_root you affect everything in that context. If it's a container, you only impact the container. If you do it on the host, it's the entire OS that's impacted. For me, the real difference is the security aspects. The chroot action has some known security holes. They are NOT really considered "bugs" per say but "design characteristics" and not likely to ever be really "fixed" per se. The OpenVZ bunch and/or maybe the Linux-Vservers bunch came up with their own solutions to the chroot holes that allow a superuser in a chrooted environment to "escape" and either leak information or access information or influence activities outside of the chrooted environment. The pivot_root action performs the same activity without those security problems and without the need to "fix" chroot. Which is why Daniel switched from chroot to pivot_root ages ago. All that being said, pivot_root is not without it's own set of problems and things got broken and fixed along that road too. We're still dealing with other leakage and escape methods which are outside of the whole chroot / pivot_root context as well. > Thanks, > Alphonse I think I got that all right. :-P Regards, Mike -- Michael H. Warfield (AI4NB) | (770) 985-6132 | m...@wittsend.com /\/\|=mhw=|\/\/ | (678) 463-0932 | http://www.wittsend.com/mhw/ NIC whois: MHW9 | An optimist believes we live in the best of all PGP Key: 0x674627FF | possible worlds. A pessimist is sure of it!
signature.asc
Description: This is a digitally signed message part
------------------------------------------------------------------------------ Special Offer -- Download ArcSight Logger for FREE! Finally, a world-class log management solution at an even better price-free! And you'll get a free "Love Thy Logs" t-shirt when you download Logger. Secure your free ArcSight Logger TODAY! http://p.sf.net/sfu/arcsisghtdev2dev
_______________________________________________ Lxc-devel mailing list Lxc-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/lxc-devel
