Slashdot has an article on “when not to use chroot” which links to a KernelTrap discussion. The basic summary is, there is a UNIX command that lets you change the root (top level) directory to somewhere else, and it is effective for several sysadmin tasks, including “jailing” programs by making sure they can’t see anything other than the files necessary for them to run.
I’ve used chroots several times to fix systems with bad kernels. I’ve used chroots to compile Debian software. I’ve used them to bootstrap system installs. And I’ve used them, in fact continue to use them, even as we speak, for security. And I like to think that I’m not incompetent.
In any endeavor there are people with different levels of skill. I know that I’m not on top in terms of Linux expertise — there are people who were doing Linux before I even had a computer. But I do cringe when I see this sort of ridiculous blanket criticism of a commonly used implementation of a versatile tool. So Bill Joy invented chroots in the 70s because he was having problems with some compiler. Who cares. Today many important programs use or support chroots for improved security, and they do it because it works. So why the need to call people who use tools in effective ways idiots, just because they aren’t using something as it was originally intended?
That sounds like the sort of thing an Apple CEO should say, not an open-source kernel hacker. It’s sort of sad, really. Meanwhile, a have two dozen Apaches humming away, safely jailed in their own chroots, serving up web pages as they have been doing for the last year and a half.
Security doesn’t work in absolutes. You do the best you can, and put a bunch of different layers in place so that if something fails, there are other layers to offer protection.
Alan says: “A fence with 10000 open gates is not improved by turning it into a fence with 9999 open gates.” Actually, it is improved, when there are other layers of security in place, and you never know which gate an attacker might try. Plus, that’s a terrible metaphor (for one, chroot is definitely better than a .01% improvement, though measuring it quantitatively is probably impossible)
Alan is a being jerk. So is Linus sometimes. And a bunch of other super-smart geeks. And, well, a lot of other people who hang out online. I don’t know if it’s because something is mentally wrong with them (savants with no social skills), they think they can get away with it because they think they are smarter than everyone else, or maybe the anonymity of the internet can do that to you.
So I disagree with you about an open-source kernel hacker saying something like that. I fully expect that type of outburst 😉 I’ve even seen other well-respected people tell Alan to stop throwing temper tantrums every time he disagrees with what is said.
Comments are closed.