|
|
|
|
|
|
by phicoh
1799 days ago
|
|
|
The key feature of chroot is that you can provide a process with a completely different filesystem view. You can leave stuff out that exist in the standard view, or change things. Change the contents of system directories. The problem with traditional chroot is that you can typically import setuid applications in this new space which can get confused, for example by a new /etc/passwd file. For this reason, chroot can be used only by root. The advantage of such a NO_NEW_PRIVS flag is that this kind of abuse of setuid applications is not possible. This should make it safe to allow ordinary users to use chroot. |
|
|