[lug] R00tKIT!! Raah!

Michael Hirsch mdhirsch at gmail.com
Mon Jun 20 11:12:59 MDT 2005


On 6/19/05, Dean Brissinger <brissing at kaidok.com> wrote:
> I prefer jails for security.  This is a BSD feature.  Solaris 10 also has a
> "zones" feature that is effectively the same thing (www.opensolaris.org).
> Jails are unique because they not only chroot and prevent getting out of a
> file-system space but also are unable to gain rights in the kernel.
> Basically your processes and memory spaces are locked in a jail too.  I
> mention solaris btw because it is binary compatible with Linux now.  I
> haven't yet but am tempted to try Linux web servers in Solaris zones.  :-)
>
Linux certainly has chroot, but it sounds like the BSD jails may have
more features.  I'd be interested in hearing what else they have.

You might be interested in the The linux vserver project which sounds
more like what you want <http://linux-vserver.org/>.  A vserver is a
chrooted system inside a larger Linux system.  After you switch to a
vserver, you can only see that vservers files, processes, and even
network.  It's pretty cool being able to give someone root access to
"their" server and they can't touch the rest of the system.  I think a
lot of  organizations that provide hosting services use this now. 
They can provide multiple servers on one piece of x86 hardware.

Note that vservers are not a virtualization system like XEN or UML. 
There is only one kernel running, it just has several jails inside it.
 XEn and UML make you run several kernels if you want several
different jails.

Michael



More information about the LUG mailing list