let's say i want to put a small website on my computer. would a full system emulator running a bare install of linux + apache be more secure than a chroot jail?
root jail vs. system emulation
- Thread starter jhu
- Start date
Yes, a UML virtual machine or similar VM software provides greater isolation than chroot(), which can easily be broken if you know how and have a fairly small set of software tools.
esentially, they are the same thing. Chroot jailing is a bit harder to setup as opposed to like VMware, but not by much. Chrooting doesn't have access to the host, VMware theoretically does by default, but I think you can disable it. that is a good question. Sorry I don't have a better answer.
Apparently, cquark knows what's going on better than I.
Apparently, cquark knows what's going on better than I.
Well it's possible to break out of a chroot jail (done it myself, when I needed to break out of a chroot'd remote Gentoo install over ssh for some odd reason. It's easy if you allow access to enough stuff to compile and run a c program.), but you can make it very difficult to do so if you setup the chroot enviroment effectively.
If you want to keep things completely seperate then emulation isn't that bad. You can go with VMware, but there are other way so to run Linux within Linux that have very little performance penalty.
Personally I would stick with chroot and just go thru the steps to harden it. This sort of thing is well known and there are lots of howtos and stuff on how to properly setup a chroot jail.
If you get a VM Linux cracked, how much do you gain over a real Linux OS?
=======--------------====------------=-=-=-=------------------------------
Another thing for security you can check out is SELinux. SELinux is now setup and used by default on Fedora Core3.
They don't have a very complex and strict setup by default, but certain important services are setup using SELinux's mandatory access control. Then they also have very strict rules setup that you can optionally use.
Fedora Core 3 SELinux FAQ
Just a FYI.
If you want to keep things completely seperate then emulation isn't that bad. You can go with VMware, but there are other way so to run Linux within Linux that have very little performance penalty.
Personally I would stick with chroot and just go thru the steps to harden it. This sort of thing is well known and there are lots of howtos and stuff on how to properly setup a chroot jail.
If you get a VM Linux cracked, how much do you gain over a real Linux OS?
=======--------------====------------=-=-=-=------------------------------
Another thing for security you can check out is SELinux. SELinux is now setup and used by default on Fedora Core3.
They don't have a very complex and strict setup by default, but certain important services are setup using SELinux's mandatory access control. Then they also have very strict rules setup that you can optionally use.
Fedora Core 3 SELinux FAQ
Just a FYI.
Originally posted by: drag
I forgot about UML....
How about running UML inside of a Chroot enviroment?
It's not a bad idea, as UML needs few files beyond its filesystem image.
As for the advantages, UML with a CoW filesystem is amazingly easy to restore to its initial state in case of a compromise. Even if you use your host machine for multiple services, if each service runs on a UML, compromising the service only compromises the UML VM, leaving the other services secure.
TRENDING THREADS
-
Discussion Zen 5 Speculation (EPYC Turin and Strix Point/Granite Ridge - Ryzen 9000)- Started by DisEnchantment
- Replies: 25K
-
Discussion Intel Meteor, Arrow, Lunar & Panther Lakes + WCL Discussion Threads
- Started by Tigerick
- Replies: 24K
-
Discussion Intel current and future Lakes & Rapids thread- Started by TheF34RChannel
- Replies: 23K
-
-
Facebook
Twitter