Re: chrooting daemons

To: Bruce Perens <bruce@pixar.com>
Cc: dark@xs4all.nl (Richard Braakman), debian-policy@lists.debian.org
Subject: Re: chrooting daemons
From: Topi Miettinen <Topi.Miettinen@ml.tele.fi>
Date: Thu, 16 Oct 1997 21:29:29 +0300
Message-id: <199710161829.VAA02537@pop.ml.tele.fi>
Reply-to: Topi Miettinen <Topi.Miettinen@ml.tele.fi>
In-reply-to: Your message of "Thu, 16 Oct 1997 09:52:00 PDT." <m0xLtA8-00IdTzC@golem.pixar.com>
References: <m0xLtA8-00IdTzC@golem.pixar.com>

Bruce Perens writes:
> From: dark@xs4all.nl (Richard Braakman)
> > It might be even easier to link the daemon statically.
> 
> No, the small security or filesystem integrity gain of using a static-linked
> binary is not worth the cost of having a second copy of libraries in its
> working set. The developers have discussed this several times.

But if the libraries are not hard linked (that probably would be ruined in
update), I believe they would still be in memory more than once, because
they then had different inodes and the OS would have no way of knowing they
are the same.

I agree that it's better to have the daemons do the chrooting. Without
dynamic linker and libraries in the chrooted location, it would be harder
for runaway code to create new programs.

-Topi

Reply to:

References:
- Re: chrooting daemons
  - From: bruce@pixar.com (Bruce Perens)

Prev by Date: Re: chrooting daemons
Next by Date: Re: chrooting daemons
Previous by thread: Re: chrooting daemons
Next by thread: Re: chrooting daemons
Index(es):
- Date
- Thread