chicken-users
[Top][All Lists]
Advanced

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Chicken-users] Packaging libraries securely


From: Ivan Shmakov
Subject: Re: [Chicken-users] Packaging libraries securely
Date: Mon, 1 Oct 2007 10:42:06 +0700

>>>>> Tony Sidaway <address@hidden> writes:

 >>> The sandbox egg will be the only thing that gives a bit of
 >>> security, but it provides only a very basic Scheme dialect and is
 >>> pretty slow.  The only (somewhat brute-forcish) solution that comes
 >>> to mind is to compile to a static executable and hack somethhing
 >>> together with rlimit and chroot(1).

 >> Do'h - to be safe you want to compile it in a chroot too -
 >> expansion/compile- time code might break as well...

 > Thanks, Felix, and thanks also to Peter Bex for the "sandbox egg"
 > suggestion.  My apologies for not acknowledging the responses
 > earlier.

 > I've investigated "chroot" jail methods, and it seems to me that a
 > solution that involves the acquisition of root by a program that
 > doesn't otherwise need it could be a classic example of "jumping
 > out of the frying pan into the fire".  If the user wants to import
 > a rootkit, fine, but I don't want to do half his work for him!

        Once the program is completed the chroot () call, the privileges
        could safely be dropped with setuid ().  It's how the most
        daemons do it.

        Alternatively, the schroot (or dchroot) package could be
        considered.

[...]




reply via email to

[Prev in Thread] Current Thread [Next in Thread]