Re: chroot vs unveil

whistlez...@riseup.net wrote: > On Thu, Feb 06, 2020 at 10:35:17AM -0700, Theo de Raadt wrote: > > Kevin Chadwick wrote: > > > > > I am considering replacing all chroot use with unveil in my processes > > > even where > > > no filesystem access is required. > > > > I am discouraging this. > >

Re: chroot vs unveil

On Thu, Feb 06, 2020 at 10:35:17AM -0700, Theo de Raadt wrote: > Kevin Chadwick wrote: > > > I am considering replacing all chroot use with unveil in my processes even > > where > > no filesystem access is required. > > I am discouraging this. > > unveil is a complicated mechanism, and we may

Re: chroot vs unveil

> >> I am considering replacing all chroot use with unveil in my processes even >> where >> no filesystem access is required. > > I am discouraging this. > > unveil is a complicated mechanism, and we may still discover a bug in > it. > > Almost all the chroot in the tree are to empty unwriteab

Re: chroot vs unveil

Kevin Chadwick wrote: > I am considering replacing all chroot use with unveil in my processes even > where > no filesystem access is required. I am discouraging this. unveil is a complicated mechanism, and we may still discover a bug in it. Almost all the chroot in the tree are to empty unwri

chroot vs unveil

I am considering replacing all chroot use with unveil in my processes even where no filesystem access is required. Is there any guidance on whether that is the best practice, where you only intend to run on OpenBSD?