whistlez...@riseup.net wrote: > On Thu, Feb 06, 2020 at 10:35:17AM -0700, Theo de Raadt wrote: > > Kevin Chadwick <m8il1i...@gmail.com> wrote: > > > > > I am considering replacing all chroot use with unveil in my processes > > > even where > > > no filesystem access is required. > > > > I am discouraging this. > > > > unveil is a complicated mechanism, and we may still discover a bug in > > it. > > > > Almost all the chroot in the tree are to empty unwriteable directories, > > in which case chroot is very secure and a very simple mechanism. > > > > you'd suggest the same for the browsers ?
they don't use chroot, and they cannot. chroot is *only* available to root.
