Re: Sandboxing Debian [was: Re: chroot administration]
On Thu, 15 Aug 2002 12:50, Sam Vilain wrote:
> > There are some limitations with it. The biggest limitation when
> > compared to my SE Linux work is it's lack of flexibility. I can
> > setup a SE Linux chroot, then do a bind mount of /home/www, and
> > grant read-only access to the files and directories of user_home_t
> > and search access to directories of type user_home_dir_t.
>
> This stuff is accomplished through file immutability and Linux
> capabilities. It's not as flexible as the system you're describing
> sounds, but it does work with standard Linux filesystem features and
> represents a smaller departure from UNIX conventions.
True.
> I tried adding an extra IP address - 127.0.0.X - to the IP chroot and
> defining that as `localhost' in /etc/hosts, and eventually after
> finding that SSH local port forwarding (to pick on an application for
> which it didn't work) was always trying to bind to 127.0.0.1, I found
> this gem in glibc:
>
> /* Network number for local host loopback. */
> #define IN_LOOPBACKNET 127
> /* Address to loopback in software to local host. */
> #ifndef INADDR_LOOPBACK
> # define INADDR_LOOPBACK ((in_addr_t) 0x7f000001) /* Inet 127.0.0.1. */
> #endif
>
> so the getaddrinfo() call will always return 127.0.0.1 for the local
> host. Which is a bit of an arse really, but I think I'd probably just
> get laughed at or ignored if I logged a bug against it.
I think you should file a bug report.
/etc/hosts contains an entry for "localhost" on every system.
What is the point of this if glibc is to do it?
If glibc wants to fudge in a value AFTER checking /etc/hosts and finding no
match then that would be OK. But doing it unconditionally is wrong.
Of course you probably will get laughed at or ignored, but I think that many
people will agree with you, so you should file the bug report.
--
I do not get viruses because I do not use MS software.
If you use Outlook then please do not put my email address in your
address-book so that WHEN you get a virus it won't use my address in the
>From field.
Reply to: