Tim Newsham states:
> John Gibbins stated:
> > We are installing a package that I have very little trust in (but have no
> > choice in installing :-(, so I can't say no). To protect the rest of the
> > system from massive security holes it may contain (including shell escapes)
> > I want to run it via chroot() for obvious reasons.
> > My problem is that users of the package need to be able to print.
> > How can I do this from within a chroot'd process (with min effort :-) without
> > impacting normal (non chroot) users?
> The way I understand it the printing commands send files to the
> print spooler through a unix domain socket in the /dev directory. If
> you set up your print spooler to open up a socket in the chroot'ed
> /dev as well it would probably do the trick.
The hard part is the last sentence. How do I tell lpd to look for two
UNIX domain sockets (/dev/printer and /chroot_dir/dev/printer)?
Simply copying lpr (and the necessary shared libraries) to the chroot area
and creating an /etc/printcap with remote machine/printer entries
pointing to the current machine is not sufficient. lpr wants to
talk to lpd on the local machine which in turn talks to lpd on the
remote machine so I need to run two copies of lpd on the same machine
(one chroot'd and one not). I have not been able to do that.
John Gibbins The Western Australian Research Institute
The University of Western Australia for Child Health Ltd ,-_|\
email: johng @
au GPO Box D184 / \
Phone: +61-9-3408547 PERTH W.A. 6001 *_,-._/
Fax: +61-9-3883414 AUSTRALIA v
"Nothing is foolproof as fools are so ingenious"