[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)

To: Mason Schmitt <hr824@sunwave.net>
Subject: Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
From: jimd@starshine.org
Date: Sat, 17 Jan 2004 22:55:55 -0800
Cc: adamm@menlo.com, sage-members@usenix.org
In-Reply-To: <200401162130.02043.hr824@sunwave.net>
References: <20040116232628.061384CE542@hexogen.explosive.net> <200401162130.02043.hr824@sunwave.net>
Sender: owner-sage-members@usenix.org
User-Agent: Mutt/1.5.4i

On Fri, Jan 16, 2004 at 09:30:02PM -0800, Mason Schmitt wrote:
> On January 16, 2004 03:26 pm, Adam S. Moskowitz wrote:
>> "Dustin Puryear" <dpuryear@usa.net> wrote:

>>> I wonder if anyone has tried to do a performance comparison of running
>>> real-world services (i.e., a mail server with AV and spam filtering)
>>> under a FreeBSD jail, user-mode Linux, and VMware.

> Add to that list vserver.  The project is somewhat fractured at the moment 
> but, in my opinion, is an excellent concept that is very light on system 
> resources and has some excellent security features while still being very 
> hardware independent thus easy to transport to other machines.

> http://www.solucorp.qc.ca/miscprj/s_context.hc?prjstate=1&nodoc=0

> Mason

 More information (and more up-to-date) at: http://www.linux-vserver.org/

 Does anyone here know if this project as overcome the "one IP address
 or sub-interface per zone" yet?

 There are a number of other projects that offer various levels of
 virtualization and jailing under Linux.

 For instance Medusa DS9 (http://medusa.fornax.sk/ ), has "virtual spaces"
 and RSBAC (http://www.rsbac.org/ ) has a "Jail" module that's supposed
 to implement something akin to FreeBSD jails.

 As for hardening old-fashioned chroot jails, most of the Linux kernel
 security patches like LIDS (http://www.lids.org/ ) and GRSecurity
 (http://www.grsecurity.net/ ) all have various features to facilitate
 root-safe chroot jails.  For that matter it's possible just using
 lcap (Linux "capabilities") wrappers.

 The main things that VServer adds to these are patches that limit
 access to ifconfig functionality even by root (from inside any jail)
 and limit the /proc contents for each jail --- so process listings are
 isolated to the same jails (presumably the isolation goes deeper so
 root in a jail can't send signals to processes from other jails, by
 blindly guessing and PIDs).  There's also some odd "init emulation"
 so each jail has a process with a simulated PID==1 and the ability to
 "shutdown" and "change runlevels" in each jail independently.

 Personally I'm not sure about the maturity of any of these approaches.
 But they're all interesting to read about, and eventually I'll try
 some more of them for more than a trivial hour of play.

 If I had a suitably tolerant colocation facility I'd love to have
 a set of machines each configured with different LIDS, GRSecurity,
 VServer, etc. patches --- and have them as "honeypot" challenges
 for a public game of "capture the flag."  However, we'd have to 
 make it "semi-public" and get them all to agree to some "no DoS"
 rules to prevent problems with the ISP's other customers.

-- 
Jim Dennis

References:
- Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
  - From: "Adam S. Moskowitz" <adamm@menlo.com>
- Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
  - From: Mason Schmitt <hr824@sunwave.net>

Prev by Date: Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
Next by Date: Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
Prev by thread: Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
Next by thread: Re: [SAGE] JAILS (Re: Respondents needed for article on sysadmin survival)
Index(es):
- Date
- Thread