RE: chroot breakout (was: Xen 2.0 Virtual Machine)

Brian Densmore wrote:
>
>> Garrett Goebel wrote:
>>
>>> Have you tried to just chroot into another one?
>> For _a_ test environment, that's fine. But not for running multiple
>> simultaneous test environments, or giving away root accounts.
>
>Are you saying that you can't open up multiple CLIs and run chroot in
>as many simultaneous instances as memory and diskspace allow?

Sure, but instances of what? Processes not kernels. You couldn't for instance test the setup of a high availability cluster...

>[somewhat OT: ]
>Also if one can break out
>of a chroot environment then they have the skill to own the machine
>anyway. You need to be able to find and use a security flaw on the
>machine that would give you root access and have access inside of
>the chrooted environment to a compiler or perl interpreter. So the
>fact that one could own a machine from inside a chroot environment
>doesn't increase the possibility that someone could get root access.

Unless of course you _want_ to give someone root access without fear that they can subvert their host. Chroot is fine for running services under a low privilege account in a jail. It isn't a cure-all.

>Although what that has to do with wanting to run a VM, which is what
>this thread is about, eludes me. In order to run a VM a user would
>need an account on your box, and if they are going to crack your
>system and have the knowledge to break out of a chrooted environment,
>then they can own your box from their user account.

In order to run a UML VM on a box, you need to run a UML instance which the end user could log into. They don't need _access_ to an account on the UML host. Except to the extent that UML instance would be running under some set of credentials.

With UML I can give anyone I wish a root account on their own virtual Linux box... I still have to worry about them misusing it or being penetrated, but not so much about attempts to subvert the uml host. I think UML is promising choice for ISP's who offer co-hosting services.

--
Garrett Goebel
IS Development Specialist

ScriptPro                   Direct: 913.403.5261
5828 Reeds Road               Main: 913.384.1008
Mission, KS 66202              Fax: 913.384.2180
www.scriptpro.com          garrett at scriptpro dot com