11 Dec
2009
11 Dec
'09
8:21 a.m.
Pierre Schmitz schrieb:
Am Freitag 11 Dezember 2009 01:02:34 schrieb Thomas Bächler:
If you just want chroot, "setcap cap_sys_chroot +ep /usr/bin/whatever" is sufficient.
The point is that it does not work. See http://src.chromium.org/svn/releases/4.0.267.0/src/chrome/browser/zygote_hos...
At least I didn't get it working; but it might be possible. A good starting point is http://code.google.com/p/chromium/wiki/LinuxSandboxing
It checks explicitly whether the "sandbox binary" is setuid, which is as stupid as using a setuid binary in the first place. What does the "sandbox binary" even do exactly? If you really need setuid for it, it's certainly a stupid design.