[6453] in Release_7.7_team
Re: Login chroots
daemon@ATHENA.MIT.EDU (Jonathan Reed)
Fri Oct 9 12:37:13 2009
Cc: release-team@mit.edu
Message-Id: <48F3A8B6-0FC1-4AD6-968D-0AA30AF14495@mit.edu>
From: Jonathan Reed <jdreed@MIT.EDU>
To: ghudson@mit.edu
In-Reply-To: <200910091634.n99GYSR9013990@outgoing.mit.edu>
Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes
Content-Transfer-Encoding: 7bit
Mime-Version: 1.0 (Apple Message framework v919.2)
Date: Fri, 9 Oct 2009 12:37:05 -0400
X-Spam-Flag: NO
X-Spam-Score: 0.00
On Oct 9, 2009, at 12:34 PM, ghudson@MIT.EDU wrote:
> (Summarizing a zephyr conversation this morning.)
>
> LVM-based login chroots do four things:
>
> 1. Reduce the likelihood that a user's login activities will affect
> the reusability of the machine.
>
> 2. Allow a user's login activities to include becoming root and
> mucking around with the system (e.g. adding packages).
>
> 3. Allow the system's real root to take package updates without
> affecting the user login session.
>
> 4. Slow everything down, particularly the process of logging in.
>
> Login chroots have already been disabled on quickstations because of
> (4).
FYI, this change is currently in -proposed, and probably won't be
pushed out until early next week.
-Jon