[Techtalk] Re: User-Mode Linux v. BSD jail

Raven Alder raven at oneeyedcrow.net
Thu Mar 6 20:09:46 EST 2003


Heya --

Quoth jennyw (Thu, Mar 06, 2003 at 10:03:18AM -0800):
> On irc, hpa suggested looking into BSD jail, which is lighter weight
> and stable.  This looks like it would be pretty good, too (I don't
> want to use plain chroot because that still gives processes access to
> networking, and also there are ways to break out of chroot I've read). 

	BSD jail is pretty good, and does indeed prevent several of the
methods commonly used to break chroot.  However, BSD system
administration had a pretty steep learning curve for me, even knowing
Linux decently.	 I like BSD and consider it very much a worthy
investment of time... but it sounds like you have a lot on your plate
already.

	If you're wanting to stay on Linux, you might want to look at
the LIDS kernel patch -- it does a lot of the things that BSD jail does
(like catching capset things).  Very very customizable.  The hardest
part is figuring out what rules are appropriate.  Getting LIDS on a box
and determining good rules for normal box usage is a non-trivial
endeavour, though, and if you don't specify then a lot of things are
denied/disallowed by default.  (Good security posture, but takes some
time to set up.)  The LIDS config on my work machine here (which,
admittedly, is far far more complex than most of my servers -- I have
XWindows, a bunch of security software, all of which wants weird
permissions and capabilities, a journaling filesystem, and a chrooted
anonymous FTP server, etc.) has three pages of lidsconf rules.  Also,
using LIDS will keep you slightly behind the cutting edge of kerneldom
-- at the moment, 2.4.20 is the latest kernel, but LIDS only has patches
for up to 2.4.18.

	If you do go with LIDS, do NOT attempt to install it for the
first time on your production box's kernel.  Large amounts of downtime
will ensue as you pore through log files and error messages and man
pages trying to figure out what permissions what processes need, and how
to grant them.  [sheepish grin]  Spent almost a whole workday just
trying to get my desktop back in working order.

	And if you are so foolish as to do that, remember that if you
build a regular 2.4.18 kernel and then build a LIDS-enabled 2.4.18
kernel and don't specify a different directory for it to be
built/installed in, that you may in fact overwrite files from your
regular 2.4.18 kernel.  Then when you go, "Gah, that didn't work" and
try to fall back on the regular kernel, you have the nasty surprise of
finding out that it too is now broken when it worked just fine before.
[even more sheepish grin]  The really bad part about that was that it
horked the driver for my network card, so even under the good kernel I
couldn't get online at first to try and google for help.

	On the plus side, everything was eventually made to work
properly again (took about a day of effort) and I feel a lot more
confident about my system's security.  [grin]  If *I* had to go through
that much pain to get the normal system processes able to do their
jobs... good luck, attackers.

	I don't know anything about UML.

Cheers,
Raven
 
"One more day of work and you should be ready for testing here."
"Uh.  Testing.  Right.  Of course."
  -- nervous-making conversation from consulting
_______________________________________________
Techtalk mailing list
Techtalk at linuxchix.org
http://mailman.linuxchix.org/mailman/listinfo/techtalk



More information about the Techtalk mailing list