Re: prevent breaking a chroot() jail?

From: Ville Herva (vherva@niksula.hut.fi)
Date: Fri Jul 05 2002 - 13:45:03 EST


On Fri, Jul 05, 2002 at 11:15:39AM -0700, you [H. Peter Anvin] wrote:
>
> This sounds like a job for [dum de dum dum] capabilities... remember,
> on Linux root hasn't been almighty for a very long time, it's just a
> matter of which capabilities you retain. Of course, if you really
> want to be safe, you might end up with a rather castrated root inside
> the chroot shell.
>
> If you really want to jail something, use UML.

ISTR UML had some security problems (guest processes being able to disrupt
host processes or just guest processes being able to disrupt other guest
processes). Have those been resolved yet?

Do people use it in production? Last I heard someone had evaluated it, it
had ended up consuming way too much CPU per "jail" for whatever reason.
Perhaps things are better already...

-- v --

v@iki.fi
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sun Jul 07 2002 - 22:00:16 EST