chroot breakout (was: Xen 2.0 Virtual Machine)

Garrett Goebel garrett at scriptpro.com
Mon Nov 8 10:54:37 CST 2004


Brian Densmore wrote:
> 
>> Garrett Goebel wrote:
>>
>>> Have you tried to just chroot into another one? 
>> For _a_ test environment, that's fine. But not for running multiple 
>> simultaneous test environments, or giving away root accounts.
>
>Are you saying that you can't open up multiple CLIs and run chroot in
>as many simultaneous instances as memory and diskspace allow? 

Sure, but instances of what? Processes not kernels. You couldn't for
instance test the setup of a high availability cluster...


>[somewhat OT: ]
>Also if one can break out
>of a chroot environment then they have the skill to own the machine
>anyway. You need to be able to find and use a security flaw on the
>machine that would give you root access and have access inside of
>the chrooted environment to a compiler or perl interpreter. So the
>fact that one could own a machine from inside a chroot environment
>doesn't increase the possibility that someone could get root access.

Unless of course you _want_ to give someone root access without fear that
they can subvert their host. Chroot is fine for running services under a low
privilege account in a jail. It isn't a cure-all.


>Although what that has to do with wanting to run a VM, which is what
>this thread is about, eludes me. In order to run a VM a user would
>need an account on your box, and if they are going to crack your
>system and have the knowledge to break out of a chrooted environment,
>then they can own your box from their user account. 

In order to run a UML VM on a box, you need to run a UML instance which the
end user could log into. They don't need _access_ to an account on the UML
host. Except to the extent that UML instance would be running under some set
of credentials.

With UML I can give anyone I wish a root account on their own virtual Linux
box... I still have to worry about them misusing it or being penetrated, but
not so much about attempts to subvert the uml host. I think UML is promising
choice for ISP's who offer co-hosting services.

--
Garrett Goebel
IS Development Specialist

ScriptPro                   Direct: 913.403.5261
5828 Reeds Road               Main: 913.384.1008
Mission, KS 66202              Fax: 913.384.2180
www.scriptpro.com          garrett at scriptpro dot com


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://kclug.org/pipermail/kclug/attachments/20041108/5cd2283e/attachment.htm


More information about the Kclug mailing list