Re: [Haskell-cafe] chroot a single thread

At Sat, 27 Dec 2008 22:41:58 -0600, brian wrote:

On Sat, Dec 27, 2008 at 8:01 PM, Jeremy Shaw wrote:

...

The problem with that function is that chroot affects the root of the whole process.

Yeah. Maybe you want privilege separation. Instead of starting a thread to do the stuff that requires extra authority, make it a separate program and communicate with it with some simple protocol. qmail might be good to look at to get the intuition.

In my case, it's not really a privilege / authority issue -- the goal is to be able to build chroot's to simulate different environments and then run code and applications in those environments. The primary use right now is an automated build system. The current solution has been to use 'system' and the chroot exectuable, but that has it's limitations.

You say you can only pass data and get back return codes, but really, you can send and receive whatever you want if the other process does I/O via a UNIX domain socket or something like that.

Yeah, I originally had some comments about forking off a seperate processing and talking to it via some sort of IPC. But, I left it out to see what other people would come up with :) Alas, fchroot is such a small, simple little function that can leverage the existing Haskell thread communication stuff. It is shame that to isolate the chroot to a single thread, requires such a significantly different approach. But, that is unix's fault not Haskell's. - jeremy