Re: chroot useful?

["Douglas R. Steinbaum" <steinbau () itd nrl navy mil>]

Regarding the comment made by Steve Bellovin (pasted at the end of this 
message):

I was under the impression that running the chroot() command on a UNIX 
box would make it impossible for all subsequently launched programs to 
access files located above the newly defined root point, even if such 
programs are launched with a UID of 0.  Thus, the command could be used 
as a simple "wrapper" to prevent a user application program which is not 
completely trusted (for example, a commercial SW package for which source 
code is unavailable) from being misused to access critical system files.  
That is, chroot could be run to define the root point such that critical 
files are inaccessible, and then the untrusted application would 
subsequently be launched.  Is this not correct?

(I am new to this list, so I apologize if this question has already been 
answered.)

- Doug Steinbaum

> It is important to understand what chroot() is and what it isn't.  It is
> not a virtualization of the machine.  Attempts to use it as such are
> quite likely doomed.  It is a mechanism to virtualize file name access;
> at that, it does quite a good job, and has since shortly after the first
> public release in 1979.  (That version permitted chroot("..") out of the
> subtree.)
>
> Standard UNIX systems do not have a complete virtual environment.  There
> have been various attempts to add these on, with more or less success.
> But it's an area where one should tread cautiously.
>
>
>               --Steve Bellovin