Many daemons can be run chroot()ed, so I fail to see the need for
VXE. It might make things easier, but lets take named and sendmail
a) both can be run chrooted()
b) it might not be easy, but it can be done
VXE defines restriction not for filesystem access only, but for all syscalls (IPC and so on). Moreover, VXE is more convenient tool for description of
filesystem access then chroot();
Chroot isn't easy to use in many cases.
Example 1: POP server will read /etc/passwd and /etc/shadow - if you make chroot, you will make copies of this files and keep them intact;
when you chroot you will make copies of shared libraries and other stuff - so it is a problem on the production site - you will change places of already used files; some files used in different subsystems - one
subsystem write to file and another read from it - chroot can't help in this situation.
When you chroot for POPD - it is still able to damage its own copy of /etc/shadow... VXE prevents this. POPD doesn't need write
permission for /etc/passwd and /etc/shadow, so VXE will block write attempts.
Example 2: CGI-scripts - it's very difficult to chroot evry script - you will provide needed programs, shared libraries and so on. This is
why chroot isn't used in such situations.