Brian Densmore wrote:
Garrett Goebel wrote:
Have you tried to just chroot into another one?
For _a_ test environment, that's fine. But not for running multiple simultaneous test environments, or giving away root accounts.
Are you saying that you can't open up multiple CLIs and run chroot in as many simultaneous instances as memory and diskspace allow?
Sure, but instances of what? Processes not kernels. You couldn't for instance test the setup of a high availability cluster...
[somewhat OT: ] Also if one can break out of a chroot environment then they have the skill to own the machine anyway. You need to be able to find and use a security flaw on the machine that would give you root access and have access inside of the chrooted environment to a compiler or perl interpreter. So the fact that one could own a machine from inside a chroot environment doesn't increase the possibility that someone could get root access.
Unless of course you _want_ to give someone root access without fear that they can subvert their host. Chroot is fine for running services under a low privilege account in a jail. It isn't a cure-all.
Although what that has to do with wanting to run a VM, which is what this thread is about, eludes me. In order to run a VM a user would need an account on your box, and if they are going to crack your system and have the knowledge to break out of a chrooted environment, then they can own your box from their user account.
In order to run a UML VM on a box, you need to run a UML instance which the end user could log into. They don't need _access_ to an account on the UML host. Except to the extent that UML instance would be running under some set of credentials.
With UML I can give anyone I wish a root account on their own virtual Linux box... I still have to worry about them misusing it or being penetrated, but not so much about attempts to subvert the uml host. I think UML is promising choice for ISP's who offer co-hosting services.
-- Garrett Goebel IS Development Specialist
ScriptPro Direct: 913.403.5261 5828 Reeds Road Main: 913.384.1008 Mission, KS 66202 Fax: 913.384.2180 www.scriptpro.com garrett at scriptpro dot com
On Mon, Nov 08, 2004 at 10:54:37AM -0600, Garrett Goebel wrote:
With UML I can give anyone I wish a root account on their own virtual Linux box... I still have to worry about them misusing it or being penetrated, but not so much about attempts to subvert the uml host. I think UML is promising choice for ISP's who offer co-hosting services.
Yup. There are companies already using it to offer such services, eg:
http://www.linode.com/products/
calling chroot requires superuser priv. I imagine, without a whole lot of basis, that the extended priv systems (SELinux, etc) can abstract choot rights to a more restricted credential.
SELilnux strikes me as a magic trick -- by redefining the security policy, user ID zero no longer means superuser. Something else means superuser instead.
for finding out if a kernel will work with your hardware, there really is no substitute for trying it on a second machine with the same hardware.
On Mon, Nov 08, 2004 at 10:54:37AM -0600, Garrett Goebel wrote:
With UML I can give anyone I wish a root account on their own virtual Linux box... I still have to worry about them misusing it or being penetrated, but not so much about attempts to subvert the uml host. I think UML is promising choice for ISP's who offer co-hosting services.
See also http://www.redwoodvirtual.com. They offer root accounts in a UML environment. I don't work for them nor am I a customer. Though I am thinking of playing with the idea in case I wanted to venture into web hosting. I'm always up for learning something new anyway!
I was a bit ambiguous earlier in the thread when I said "virtual environment." My main goal would be to run Linux on Linux, as close to hardware as I can get for the purpose of testing other Linux distributions. Recently I installed several Linux distros to get screenshots of how to update that specific distro. I used spare space on my hard drive for the installs, but then I had to worry about uids and gids and mounting the other partitions correctly so I could save off the screenshots. Not a big deal, but if I am going do more of this, I'd like to run the distros as a VM and mount /home via NFS, and authenticate via OpenLDAP+PAM.
Jeremy
[email protected] wrote:
See also http://www.redwoodvirtual.com. They offer root accounts in a UML environment. I don't work for them nor am I a customer. Though I am thinking of playing with the idea in case I wanted to venture into web hosting. I'm always up for learning something new anyway!
I was a bit ambiguous earlier in the thread when I said "virtual environment." My main goal would be to run Linux on Linux, as close to hardware as I can get for the purpose of testing other Linux distributions. Recently I installed several Linux distros to get screenshots of how to update that specific distro. I used spare space on my hard drive for the installs, but then I had to worry about uids and gids and mounting the other partitions correctly so I could save off the screenshots. Not a big deal, but if I am going do more of this, I'd like to run the distros as a VM and mount /home via NFS, and authenticate via OpenLDAP+PAM.
I've run into a bit of these problems while messing with LiveCDs. Most allow you to mount partitions as read only, so how do you save your screenshots? From the commandline, in a root xterm, you "mount -rw /dev/hdax /mnt/hdax" where x is the partition number. If it is fat16 or 32, you can add "-t vfat" after the mount and before the partition info, for ntfs you use "-t ntfs" but you can't do read-write. Actually you can now if you use the captive NTFS driver, but that's another lesson/headache. As for UIDs and GIDs I'd be interested in how you solved this.
-----Original Message----- From: [email protected] [mailto:[email protected]] On Behalf Of [email protected] Sent: Monday, November 08, 2004 7:38 PM To: [email protected] Subject: Re: chroot breakout (was: Xen 2.0 Virtual Machine)
[snip]
See also http://www.redwoodvirtual.com. They offer root accounts in a UML environment. I don't work for them nor am I a customer. Though I am thinking of playing with the idea in case I wanted to venture into web hosting. I'm always up for learning something new anyway!
I took a look at Redwood Virtual, and noted their site says they are at full capacity and need more servers. I haven't a clue how long that condition will last, and don't know anything about them. I _can_ speak for the Open Hosting project (www.openhosting.com), as I have been a customer of theirs for a bit over a year I think.
All in all, I have been exceptionally pleased with the services provided by openhosting.com. My systems have only required a reboot perhaps once in the past year, which as I recall was the result of an _other_ VPS on the same system as mine suffering from a DDoS attack. In that instance, the issue was handled by Open Hosting staff before I was aware of any degradation of service. I perceive an exceptionally high value in the services provided at an excellent price.
My $.02, Dustin
-
Brian Kelsay -
D. Joe Anderson -
David Nicol -
Dustin Decker -
Garrett Goebel -
jeremy@linuxwebguy.com