[Haskell-cafe] chroot a single thread
Jeremy Shaw
jeremy at n-heptane.com
Sun Dec 28 00:22:18 EST 2008
At Sat, 27 Dec 2008 22:41:58 -0600,
brian wrote:
>
> On Sat, Dec 27, 2008 at 8:01 PM, Jeremy Shaw <jeremy at n-heptane.com> wrote:
> > The problem with that function is that chroot affects the root of the
> > whole process.
>
> Yeah. Maybe you want privilege separation. Instead of starting a
> thread to do the stuff that requires extra authority, make it a
> separate program and communicate with it with some simple protocol.
> qmail might be good to look at to get the intuition.
In my case, it's not really a privilege / authority issue -- the goal
is to be able to build chroot's to simulate different environments and
then run code and applications in those environments. The primary use
right now is an automated build system. The current solution has been
to use 'system' and the chroot exectuable, but that has it's
limitations.
> You say you can only pass data and get back return codes, but really,
> you can send and receive whatever you want if the other process does
> I/O via a UNIX domain socket or something like that.
Yeah, I originally had some comments about forking off a seperate
processing and talking to it via some sort of IPC. But, I left it out
to see what other people would come up with :)
Alas, fchroot is such a small, simple little function that can
leverage the existing Haskell thread communication stuff. It is shame
that to isolate the chroot to a single thread, requires such a
significantly different approach. But, that is unix's fault not
Haskell's.
- jeremy
More information about the Haskell-Cafe
mailing list