FreeBSD jail vs. User Mode Linux and Linux-vserver
Johannes B. Ullrich
jullrich at sans.org
Mon Dec 8 16:16:04 EST 2003
> Does anyone out there have experience with any of these tools (or any
> other way of achieving the same goal)?
Couple of "data points"
UML: I am not sure about the latest status, but when I checked it last,
it was not ready for production use. If you have money to spend, look
at vmware (I think its $300 for the "Workstation" version, which will
work fine in most cases.
Chroot: I am relying heavily on it under Linux. I have not used FreeBSD.
Under Linux, I strongly recommend to use a kernel with grsecurity. It
will limit chroot (and 'root') even further and allows for some extra
logging of breakout attempts. Even without 'chroot', grsecurity is
a great addition to any server.
One issue with 'chroot': Maintaining a chroot setup can be a bit
of a hassle. You will need copies of required libraries in all
chroot 'jails'. If you need to update a particular library (e.g.
openssl), you need to remember to copy it to all jails that use it.
I don't think chroot makes too much sense on single-purpose servers. but
it may still limit damage. And its invaluable on servers that run
multiple daemons.
--
CTO SANS Internet Storm Center http://isc.sans.org
phone: (617) 786 1563
fax: (617) 786 1550 jullrich at sans.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.blu.org/pipermail/discuss/attachments/20031208/1da3aab8/attachment.sig>
More information about the Discuss
mailing list