Follow Slashdot blog updates by subscribing to our blog RSS feed


Forgot your password?
Check out the new SourceForge HTML5 internet speed test! No Flash necessary and runs on all devices. ×

Comment Re: Security... (Score 1) 72

Actually, you can give access to what you want, /dev, /proc, /sys... or not as you wish. Letting anything run as root in a chroot when using it as a mild isolation technique is a big no-no and has always been.

chroot can still be used as a mild isolation technique if you know what you are doing. That's why I mentioned that privilege escalation can happen even in VMs.

Damn, I remember back in the days, logging in a system as guest and getting root in 30 seconds with an xterm exploit. Privilege escalation is the name of the game.

Comment Re: Security... (Score 2, Interesting) 72

Hmm, chroot needs to include its own OS or at least the parts you need to run said chrooted process unless compiled statically and still. This would make it more than sandbox lite according to your definition.

chroot is viewed as less secure as bsd jails because it wasn't designed for a security purpose in the first place.

I have a slackware pure 64 bits, no compat 32 what so ever. I chroot to a 32 bits full install and everything runs smoothly for legacy 32 bits apps.

Granted, only one kernel runs, 1 /sys /proc, etc., which is "less isolated" than a qemu vm but lets you run on bare metal for specific applications.

Anyway, even VMs can be victims of privilege escalation. BSD jail is less subject to it than chroot I hear. Good old unix chroot still has its usage nevertheless IMHO.

Comment Re: Waste of time (Score 1) 39

Increasingly systems like Comcast X1 are delivering live linear streams as IP - just IP that never needs to suffer the packet loss and jitter of the open Internet.

Most cable co do this now. Mine has even dropped support for analog signal over cable. OK, that pissed me off because there no way to just hook up a splitter/booster and have TV in all rooms by yourself anymore. I now need a device for each TV and the devices receive the signal through IP even if you don't subscribe to Internet services with them.

They typically use LAN IPs (usually to route traffic even for Internet subscribers. You just don't usually see it but I noticed the dhcpd giving me my Internet public address all have addresses and I needed to allow communication with them since I usually block that traffic.

I also worked for some cable co doing provisioning software and such. Each Internet cable modem has at least 2 IP adresses, one and a public IP. They route to your public IP through the address.

route add (publicIP) gw ( address) for the Internet access.

The TV devices are plugged in before the cable modem so they have direct access to the the internal cable co LAN without going through the cable modem. Each TV device has its own MAC address and IP. Easy enough to know what you are watching isn't it?

By the way, cable co that offer phone also do it through IP (VOIP) and you don't notice unless you try to use an old fax machine and even then...

In the end, the cable network has become just an IP network over DOCSYS.

Comment Re:Really? (Score 1) 149

No problems here, I run my own DNS and flush the cache at will if needed to query the root server and then authoritative server etc. Handy for testing sometimes when moving domains. Once the customer domain moved and the tests are conclusive, it happens that I have to tell the customer that his previous provider should have set the TTL lower than 3 weeks so people using their provider DNS could see the site a little earlier ;-)

I usually set TTL from 10 minutes (dyndns) to 6 hours depending on the domain to make moving easier.

Comment Re:E.g. We can't use it if we can't cheat (Score 1) 87

Since then I've seen a number of accounting systems that allow all sorts of monkeying around, including posting adjusting entries for a fiscal year within that fiscal year, even though you may be a couple of months into the current fiscal year. It seems common practice now, but a quarter of a century ago that was viewed as completely inappropriate, as it opened the door for fraud.

Thanks for updating me to 2016, amazing!

Of course, as another poster has mentioned, it is always possible to restore from backup or whatever to fool the system around but the only thing I knew about was what I described first.

Slashdot Top Deals

My mother is a fish. - William Faulkner