Re: Sandboxing Debian [was: Re: chroot administration]

To: Sam Vilain <sv@easyspace.com>
Cc: debian-devel@lists.debian.org
Subject: Re: Sandboxing Debian [was: Re: chroot administration]
From: Russell Coker <russell@coker.com.au>
Date: Thu, 15 Aug 2002 13:06:29 +0200
Message-id: <[🔎] 20020815110629.E3DA6311@lyta.coker.com.au>
Reply-to: Russell Coker <russell@coker.com.au>
In-reply-to: <[🔎] 20020815115034.58d898bc.sv@easyspace.com>
References: <[🔎] 20020813214849.72BED6E9@lyta.coker.com.au> <[🔎] 20020814125946.526F08785@lyta.coker.com.au> <[🔎] 20020815115034.58d898bc.sv@easyspace.com>

On Thu, 15 Aug 2002 12:50, Sam Vilain wrote:
> > There are some limitations with it.  The biggest limitation when
> > compared to my SE Linux work is it's lack of flexibility.  I can
> > setup a SE Linux chroot, then do a bind mount of /home/www, and
> > grant read-only access to the files and directories of user_home_t
> > and search access to directories of type user_home_dir_t.
>
> This stuff is accomplished through file immutability and Linux
> capabilities.  It's not as flexible as the system you're describing
> sounds, but it does work with standard Linux filesystem features and
> represents a smaller departure from UNIX conventions.

True.

> I tried adding an extra IP address - 127.0.0.X - to the IP chroot and
> defining that as `localhost' in /etc/hosts, and eventually after
> finding that SSH local port forwarding (to pick on an application for
> which it didn't work) was always trying to bind to 127.0.0.1, I found
> this gem in glibc:
>
> /* Network number for local host loopback.  */
> #define	IN_LOOPBACKNET		127
> /* Address to loopback in software to local host.  */
> #ifndef INADDR_LOOPBACK
> # define INADDR_LOOPBACK	((in_addr_t) 0x7f000001) /* Inet 127.0.0.1.  */
> #endif
>
> so the getaddrinfo() call will always return 127.0.0.1 for the local
> host.  Which is a bit of an arse really, but I think I'd probably just
> get laughed at or ignored if I logged a bug against it.

I think you should file a bug report.

/etc/hosts contains an entry for "localhost" on every system.

What is the point of this if glibc is to do it?

If glibc wants to fudge in a value AFTER checking /etc/hosts and finding no 
match then that would be OK.  But doing it unconditionally is wrong.

Of course you probably will get laughed at or ignored, but I think that many 
people will agree with you, so you should file the bug report.

-- 
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.

Reply to:

References:
- chroot administration
  - From: Russell Coker <russell@coker.com.au>
- Re: chroot administration
  - From: Russell Coker <russell@coker.com.au>
- Sandboxing Debian [was: Re: chroot administration]
  - From: Sam Vilain <sv@easyspace.com>

Prev by Date: Bug#156773: ITP: gkrellmitime -- internet time plugin for gkrellm
Next by Date: Re: g++ 3.2 on woody ?
Previous by thread: Sandboxing Debian [was: Re: chroot administration]
Next by thread: Re: chroot administration
Index(es):
- Date
- Thread