Re: [Jailkit-dev] more jk_jailuser bugs

[Stephen Tallowitz]

> saves me a lot of work (and thus more time for the parallel init program
> I'm writing :) )

You're not by any chance involved in 
http://initng.thinktux.net/index.php/Main_Page, which has received a huge 
interest in the gentoo community? Didn't see your name there.

> opt 1 and then tell the user to move the files him/herself.. hmm I'm now
> wondering what the problems of system('mv source jail/source') are.. do
> you have a clear view on the possible problems?

I think the security problem stems from the fact that builtin 
commands/functions of a programming language are usually linked against some 
system libraries. So any modifying a system library or the progamming language 
executables and libraries to gain root access or install a rootkit can be 
watched by the popular checksum watchers (tripwire et al). Executing a shell 
command basically leaves open the possibility of anyone putting in an alias 
such as mv="rm -rf /" or mv="install-my-rootkit". And aliases are probably not 
what checksum-programms look out for. There are probably many ways to inject 
such an alias to the root-user, there need only be one incorrectly configured 
service or directory on a computer.
jk_jailuser is always executed as root, so being just that little bit more 
security conscious might not be a bad idea.