Preemptive strategies

Heiko Zuerker heiko at
Thu Sep 18 00:03:02 PDT 2008

Quoting "Robert Connolly" <robert at>:

> On Monday September 15 2008 12:21:16 pm Chris Buxton wrote:
>> I have some experience with chroot jails, including setting them up
>> from scratch and debugging them.
> Do you use the 'runas' program? Are there reasons not to use it?

We use "compartment" in Devil-Linux. I think the guys at SuSE wrote  
it. It helps you if the maintainer of a program didn't add any code to  
run it as non-root. It also allows you to use assign only certain  
privileges to the program.

Take a look at the JAILKIT, it provides a handy tool jsocketd. This  
spares you all the trouble with having syslog(-ng) listen in  
additional chroot folder structures. You simply add the creation of  
the forwarding socket to the jail initialization script.

Unfortunately chroot jails are like a step child, nobody really wants  
to maintain them. There's a lot we could do, but you need the time to  
pull it off...


   Heiko Zuerker

This message was sent using IMP, the Internet Messaging Program.

More information about the hlfs-dev mailing list