Received: with LISTAR (v1.0.0; list gopher); Wed, 23 Jan 2002 10:42:50 -0500 (EST) Return-Path: Delivered-To: gopher@complete.org Received: from ingwaz.pair.com (ingwaz.pair.com [209.68.1.186]) by pi.glockenspiel.complete.org (Postfix) with SMTP id 08A913B8A9 for ; Wed, 23 Jan 2002 10:42:50 -0500 (EST) Received: (qmail 2081 invoked by uid 3017); 23 Jan 2002 15:42:49 -0000 Date: 23 Jan 2002 15:42:49 -0000 Message-ID: <20020123154249.2080.qmail@ingwaz.pair.com> To: gopher@complete.org From: Robert Hahn Subject: [gopher] Re: Security issues in Gopher? X-archive-position: 388 X-listar-version: Listar v1.0.0 Sender: gopher-bounce@complete.org Errors-to: gopher-bounce@complete.org X-original-sender: rhahn@tenletters.com Precedence: bulk Reply-to: gopher@complete.org List-help: List-unsubscribe: List-software: Listar version 1.0.0 X-List-ID: Gopher List-subscribe: List-owner: List-post: List-archive: X-list: gopher Kind of an FYI: I re-read the man page in light of what I learned in this thread (thanks to all who contributed - great explanations!), and I realized my confusion. The man page says it sets the new root directory - and I thought it meant the home directory for user root, not the root of the filesystem. Tricky. I wonder who I would send that kind of feedback to? -rh John Goerzen wrote: > > Robert Hahn writes: > > > Interesting. I manned chroot last night, which gave me a clear answer as to what and how, but, as is typical with all man pages, lacks a 'why'. :P > > > > So, can you explain what the significance of chroot* is and how it > > increases security? Especially as it compares to running a server > > either as 'nobody' or (horrors) root? > > It means that the files not under that directly are completely and > forever inaccessible* to that process and all of its children. Even a > process running as nobody can read /etc/passwd. > > So, run gopherd as nobody and put it chrooted, and you've got a > bombproof protection. > > * Exceptions exist for the superuser. > >