Re: Different roots for each process possible?

[Roland McGrath <roland@frob.com>]

> It seems I wasn't clear enough. 

I think I understand you, but it seems that I was not clear enough about
how the Hurd works.

> Now, the prisoner doesn't have any references to the outside of the
> prison, you made sure of that (I'm ignoring some other potential
> problems like other processes that the prisoner might attcah a
> debugger to). But watch him breaking out using only another chroot...
> 
>   $ mkdir foo
>   $ chroot foo          # Shrink the prison, without changing the cwd.
>   $ cat ../file         # Now our cwd is outside the prison! Use it.
>   Freedom

This does not work on the Hurd.  After that chroot, the current working
directory still behaves just as it did before the chroot--that is, ".." is
still redirected back to "." ("/the/prison").  If you like, there is a new
"prison" created whenever you do a chroot call (prisons within prisons).
This is actually done by the file_parent RPC, which creates what in our
source code we call a "shadow tree" stemming from the "shadow root" that is
what file_parent returns (and becomes the process's root directory port).

> So on unix, you have to do
> 
>   $ chroot /the/prison
>   $ cd /
>   $ su some-non-root-user prisoner
> 
> and rely on non-root users not having enough privileges to use chroot.