On Sat, Dec 24, 2011 at 02:45:21AM -0800, Xin LI wrote: > On Sat, Dec 24, 2011 at 2:39 AM, Andrey Chernov <a...@freebsd.org> wrote: > > On Sat, Dec 24, 2011 at 02:26:20AM -0800, Xin LI wrote: > >> chroot(2) can create legitimate and secure environment where dlopen(2) > >> is safe and necessary. > > > > Yes, so ischroot() check can be used only into that places where libc's > > libc_dlopen() currently used, i.e. placed into libc_dlopen() itself. > > So it's Okay to break NSS in chroot jail?
We need general solution. We simple can't count all possible and future ftpd's arround the world and insert __FreeBSD_libc_enter_restricted_mode() into them. I even not mention other programs that may use chroot() too. If some component like auth is critical for chroot, it should be restricted in general scope. -- http://ache.vniz.net/ _______________________________________________ svn-src-all@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/svn-src-all To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
