FreeBSD jail vs. User Mode Linux and Linux-vserver
miah
jjohnson at sunrise-linux.com
Mon Dec 8 16:54:15 EST 2003
On Mon, Dec 08, 2003 at 04:16:04PM -0500, Johannes B. Ullrich wrote:
> Couple of "data points"
>
> UML: I am not sure about the latest status, but when I checked it last,
> it was not ready for production use. If you have money to spend, look
> at vmware (I think its $300 for the "Workstation" version, which will
> work fine in most cases.
I have several 'production' UML systems set up at work. It works fine as long as you can deal with its shortcomings. You can share one 'disk image' among multiple UML instances, any changes made in the UML instance is stored in its own file. Really handy, but you cant do things like 'update rpms' on the master disk image, if the master disk image changes at all, all other UML instances freak out. The documentation also sucks, and getting things setup is generally lots of work. Once its setup though its stable.
> Chroot: I am relying heavily on it under Linux. I have not used FreeBSD.
> Under Linux, I strongly recommend to use a kernel with grsecurity. It
> will limit chroot (and 'root') even further and allows for some extra
> logging of breakout attempts. Even without 'chroot', grsecurity is
> a great addition to any server.
>
> One issue with 'chroot': Maintaining a chroot setup can be a bit
> of a hassle. You will need copies of required libraries in all
> chroot 'jails'. If you need to update a particular library (e.g.
> openssl), you need to remember to copy it to all jails that use it.
Updating libs in the chroot is something people forget often...
> I don't think chroot makes too much sense on single-purpose servers. but
> it may still limit damage. And its invaluable on servers that run
> multiple daemons.
Every layer of security is one more hoop an attacker will have to jump through. If you're only running named on a system you should still chroot it. Of course, the other option is to build a tiny distro and run it off of cd, have it fetch all its configs from a secure source (you could even cryptographically sign the configs) and have it load all that at startup. If somebody were to hack that, a reboot would fix it.
As far as FreeBSD Jail, I belive its similar to UML. You end up running a completely virtual system inside the host system, which means more stuff to maintain. Its cool if you lack the hardware, but I don't see it really gaining you anything. You still need to chroot everything inside the jail, and the jail does impose some restrictions, but so does linux + grsecurity and a properly configured grsecurity ACL.
-miah
More information about the Discuss
mailing list