Re:The mythical idiot-proof distro/OS (Score 1)

Chroot is just one of the security mechanisms that is used by HP-LX. But I would not highlight this as one of the major security mechanism.

The containment mechanism implemented in HP-LX is something new. By this I mean, you can create "compartments". Every compartment is independent of other compartments. But this does not help much unless you can allow communication between the compartments. This is where "communication rules" come into play. You you can say something like:

Compartment web -> compartment java port 9999 method tcp device eth_lo

You have now created a communication channel that allows a process to talk from the web compartment (your web server) to the java compartment via the loopback device on port 9999.

Additionally, you have the ability set rules on files. You could say:

web /apache/htdoc read
web /apache/logs read,write,append

Here your application running in the web compartment has only "read" access, no matter what the DAC permissions are on any file in the /apache/htdoc directory tree. If you had a file /apache/htdoc/project/index.html which is 666 you would still only have "read" access.
For files in the /apache/logs directory
you give "read,write" access to files in the directory tree.

To me, these are the most important security features provided by HP-LX.