FAQ
VXE Home
Overview
Installation guide
User's guide
Download
FAQ
Tips
Discussion
Contacts

Q:

Many daemons can be run chroot()ed, so I fail to see the need for VXE. It might make things easier, but lets take named and sendmail

a) both can be run chrooted()

b) it might not be easy, but it can be done

A:

VXE defines restriction not for filesystem access only, but for all syscalls (IPC and so on). Moreover, VXE is more convenient tool for description of filesystem access then chroot();

Chroot isn't easy to use in many cases.

Example 1: POP server will read /etc/passwd and /etc/shadow - if you make chroot, you will make copies of this files and keep them intact; when you chroot you will make copies of shared libraries and other stuff - so it is a problem on the production site - you will change places of already used files; some files used in different subsystems - one subsystem write to file and another read from it - chroot can't help in this situation.

When you chroot for POPD - it is still able to damage its own copy of /etc/shadow... VXE prevents this. POPD doesn't need write permission for /etc/passwd and /etc/shadow, so VXE will block write attempts.

Example 2: CGI-scripts - it's very difficult to chroot evry script - you will provide needed programs, shared libraries and so on. This is why chroot isn't used in such situations.

 

[VXE Home] [Overview] [Instalation guide] [User's guide] [Download] [FAQ] [Tips] [Discussion] [Contacts]

VXE is a trademark of  InteS. All other products mentioned are registered trademarks or trademarks of their respective companies. Questions or problems regarding this web site should be directed to webmaster@quercitron.com. Copyright © 1999-2004 InteS. All rights reserved.