Version française
Home     About     Download     Resources     Contact us    

This site is updated infrequently. For up-to-date information, please visit the new OCaml website at

Browse thread
How does chroot work ?
[ Home ] [ Index: by date | by threads ]
[ Search: ]

[ Message by date: previous | next ] [ Message in thread: previous | next ] [ Thread: previous | next ]
Date: 2010-12-18 (23:02)
From: Gregory BELLIER <gregory.bellier@g...>
Subject: Re: [Caml-list] How does chroot work ?
Le 18/12/2010 20:31, Gerd Stolpmann a écrit :
> Am Samstag, den 18.12.2010, 18:09 +0100 schrieb Gregory Bellier:
>> Hi !
>> For security reasons, I would like to chroot a child process but I
>> can't do it unless this process is root.
>> How does it work exactly ?
> If everybody could chroot it would be possible to change passwords and
> do other privileged operations in the new chroot (it depends on the OS
> how dangerous this really is, but POSIX assumes it is dangerous).
> Because of this it is restricted to root.
> Furthermore, chroot is not designed for enhancing the security. A root
> process can undo chroot (look it up in the web, it's tricky but
> possible). If a normal user could chroot, everybody could also break
> out.
> So, usually you would start a new process as root, establish the chroot
> there, and setuid to a non-privileged user for doing the real work. If
> you cannot start as root, you could alternatively also set the setuid
> bit of the executable. However, running a process with setuid root adds
> new security dangers, so it is questionable whether you can improve the
> overall security by such means.
> I'd advise not to use chroot unless you exactly understand what you are
> doing.
> Gerd
Hi Gerd and thank you for your email.

Yes, I know what I'm doing.