web browser suid [was Preemptive strategies]
robert at linuxfromscratch.org
Tue Sep 30 18:48:07 PDT 2008
On Tuesday September 30 2008 09:12:00 pm Kevin Day wrote:
> There is the possibility of read-only bind mounts to avoid the copying
> and prevent apps inside the chroot from writing to whatever may be
> bind mounted.
I just tried to bind mount /lib and /usr/lib to /tmp/bind-test, and /usr/lib
replaces the /lib mount, instead of adding to it.
It may work with something like mounting /opt/lynx2.8.6rel.5
to /var/chroot/lynx, where Lynx was installed with
DESTDIR=/opt/lynx2.8.6rel.5, so that /opt/lynx2.8.6rel.5/usr/bin/lynx exists,
and then /lib can be mounted to /var/chroot/lynx/lib.
This gets around the problem when upgrading dependency libraries, but it adds
more files to the chroot than we need. It's not that bad though. It's not
flexable enough to work with any package, but I can't think of any package
that can use a chroot like this that it wouldn't work with.
Bind mounting single files would be nice (a hard link across mount points),
but it would make a serious mess out of /proc/mounts.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Size: 197 bytes
Desc: not available
More information about the hlfs-dev