[ovs-dev] [PATCH 0/3][RFC] Implement a chroot for ovsdb-server
Eric Sesterhenn
eric.sesterhenn at lsexperts.de
Fri Jul 11 11:24:01 UTC 2014
Hi,
on my debian installation, the ovsdb-server is running as root. Since I
prefer to add additional mitigations for running services, I was looking
into putting the ovsdb-server into a chroot and implemented it in the
following three patches.
These patches are send as a request for comments, since there are still
some issues left. The first patch introduces a file descriptor leak, and
some testcases fail when the chroot is enabled (these are 1293 1294 1297
1298 1299 1301 ). If --run-command is passed, the chroot is not active,
since the ovsdb-server requires to access further files.
Is this something worthwile pursuing or are there reasons, why chrooting
was not already implemented for ovsdb-server?
Best Regards,
Eric Sesterhenn
--
LSE Leading Security Experts GmbH, Postfach 100121, 64201 Darmstadt
Unternehmenssitz: Weiterstadt, Amtsgericht Darmstadt: HRB8649
Geschäftsführer: Oliver Michel, Sven Walther
More information about the dev
mailing list