• We’re currently investigating an issue related to the forum theme and styling that is impacting page layout and visual formatting. The problem has been identified, and we are actively working on a resolution. There is no impact to user data or functionality, this is strictly a front-end display issue. We’ll post an update once the fix has been deployed. Thanks for your patience while we get this sorted.

root jail vs. system emulation

J

jhu

Lifer
let's say i want to put a small website on my computer. would a full system emulator running a bare install of linux + apache be more secure than a chroot jail?
 
Yes, a UML virtual machine or similar VM software provides greater isolation than chroot(), which can easily be broken if you know how and have a fairly small set of software tools.
 
esentially, they are the same thing. Chroot jailing is a bit harder to setup as opposed to like VMware, but not by much. Chrooting doesn't have access to the host, VMware theoretically does by default, but I think you can disable it. that is a good question. Sorry I don't have a better answer.

Apparently, cquark knows what's going on better than I.
 
Well it's possible to break out of a chroot jail (done it myself, when I needed to break out of a chroot'd remote Gentoo install over ssh for some odd reason. It's easy if you allow access to enough stuff to compile and run a c program.), but you can make it very difficult to do so if you setup the chroot enviroment effectively.

If you want to keep things completely seperate then emulation isn't that bad. You can go with VMware, but there are other way so to run Linux within Linux that have very little performance penalty.

Personally I would stick with chroot and just go thru the steps to harden it. This sort of thing is well known and there are lots of howtos and stuff on how to properly setup a chroot jail.

If you get a VM Linux cracked, how much do you gain over a real Linux OS?

=======--------------====------------=-=-=-=------------------------------

Another thing for security you can check out is SELinux. SELinux is now setup and used by default on Fedora Core3.

They don't have a very complex and strict setup by default, but certain important services are setup using SELinux's mandatory access control. Then they also have very strict rules setup that you can optionally use.
Fedora Core 3 SELinux FAQ
Just a FYI.
 
Originally posted by: cquark
Yes, a UML virtual machine or similar VM software provides greater isolation than chroot(), which can easily be broken if you know how and have a fairly small set of software tools.
Click to expand...

I forgot about UML....

How about running UML inside of a Chroot enviroment? 😀
 
Originally posted by: drag
Originally posted by: cquark
Yes, a UML virtual machine or similar VM software provides greater isolation than chroot(), which can easily be broken if you know how and have a fairly small set of software tools.
Click to expand...

I forgot about UML....

How about running UML inside of a Chroot enviroment? 😀
Click to expand...

It's not a bad idea, as UML needs few files beyond its filesystem image.

As for the advantages, UML with a CoW filesystem is amazingly easy to restore to its initial state in case of a compromise. Even if you use your host machine for multiple services, if each service runs on a UML, compromising the service only compromises the UML VM, leaving the other services secure.
 
You must log in or register to reply here.

TRENDING THREADS

Back
Top