FreeBSD jail vs. User Mode Linux and Linux-vserver

[jullrich at sans.org (Johannes B. Ullrich)]

> Does anyone out there have experience with any of these tools (or any 
> other way of achieving the same goal)?

Couple of "data points"

UML: I am not sure about the latest status, but when I checked it last,
it was not ready for production use. If you have money to spend, look
at vmware (I think its $300 for the "Workstation" version, which will
work fine in most cases.

Chroot: I am relying heavily on it under Linux. I have not used FreeBSD.
Under Linux, I strongly recommend to use a kernel with grsecurity. It
will limit chroot (and 'root') even further and allows for some extra
logging of breakout attempts. Even without 'chroot', grsecurity is
a great addition to any server.

One issue with 'chroot': Maintaining a chroot setup can be a bit
of a hassle. You will need copies of required libraries in all
chroot 'jails'. If you need to update a particular library (e.g.
openssl), you need to remember to copy it to all jails that use it.

I don't think chroot makes too much sense on single-purpose servers. but
it may still limit damage. And its invaluable on servers that run
multiple daemons.



-- 
CTO SANS Internet Storm Center               http://isc.sans.org
phone: (617) 786 1563            
  fax: (617) 786 1550                          jullrich at sans.org

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
URL: <http://lists.blu.org/pipermail/discuss/attachments/20031208/1da3aab8/attachment.sig>