On Wed, Nov 19, 2003 at 01:10:03AM -0500, Justin Zygmont wrote: > I don't understand why this command is really necessary, if you need > chroot capability, then the safer way would be to set their shell to the > file that contains the script. Not true. Chroot-ing Apache, for example, makes that someone using a hole in Apache still can't do anything outside its root. Most ftp daemons chroot internally for guest users too. Ideally, you could run any service in a separate chroot, but setting it up (with all the needed shared libs and tools) is non-trivial. See <http://www.onlamp.com/pub/a/bsd/2003/01/23/chroot.html> for an example, maybe that gives a better view of this often underestimaded UNIX feature, existing since ages. -- -- Jos Vos <jos@xxxxxx> -- X/OS Experts in Open Systems BV | Phone: +31 20 6938364 -- Amsterdam, The Netherlands | Fax: +31 20 6948204
