It is currently Sun Sep 21, 2014 10:09 pm

All times are UTC




Post new topic Reply to topic  [ 5 posts ] 
Author Message
 Post subject: Does Zenwalk/Zenserver have a sandbox security mechanism?
PostPosted: Tue Feb 19, 2008 7:17 pm 
Experienced Zenwalker
Experienced Zenwalker

Joined: Tue Jan 02, 2007 6:38 pm
Posts: 102
Location: Norway
Hei!

I was searching the Zenserver repositories (current) looking for something equivalent to the FreeBSD jails. The first thing which popped into my mind was the  Linux-VServer, but I couldn't find it in the repositories? Do I need new glasses?  :-\ Or does there exist other applications in the Zen repositories which give better alternatives than the old insecure chroot method?

Well, I can try to explain what I'm looking for, and then maybe someone will reply.

The chroot utility can be used to change the root directory of a set of processes, creating a safe environment, separate from the rest of the system. Processes created in the chrooted environment can not access files or resources outside of it. For that reason, compromising a service running in a chrooted environment should not allow the attacker to compromise the entire system. These features make it especially attractive to run daemons/services on a bastion host in a chrooted environment, like a httpd server, where php-code on the host can be used by an attacker to (in the worst scenario)  gain root-privileges. Many ways have been found to escape from a chrooted environment and, although they have been fixed in modern versions of the Linux kernel, it is clear that chroot is not the ideal solution for securing services.

I mentioned Linux-Vserver as a solution to this problem, but I couldn't find it in the repositories. It also seems to be a bit complex compared to FreeBSDs jails. If you know of any good solution to this problem, please tell me. I really think this functionality is important, especially in a server system like Zenserver, but it's also very helpful for packagers, since they can build and test packages on clean systems without having to install resource hungry applications like Qemu, Xen and VMware, and the system is easier to maintain.


 Profile Send private message  
 
 Post subject: Re: Does Zenwalk/Zenserver have a sandbox security mechanism?
PostPosted: Tue Feb 19, 2008 11:14 pm 
Experienced Zenwalker
Experienced Zenwalker

Joined: Mon Dec 03, 2007 2:45 pm
Posts: 114
Building VServers on Slackware
http://www.cilinder.be/2007/11/14/build ... kware.html

Jailkit
http://olivier.sessink.nl/jailkit/


 Profile Send private message  
 
 Post subject: Re: Does Zenwalk/Zenserver have a sandbox security mechanism?
PostPosted: Wed Feb 20, 2008 9:55 am 
Experienced Zenwalker
Experienced Zenwalker

Joined: Tue Jan 02, 2007 6:38 pm
Posts: 102
Location: Norway
Thanks mate!

Jailkit looked nice, but I'm a bit skeptic. It uses a tool jk_chroot which is based on the old, insecure chroot. I would like to see them take a different approach and not base the system on something which is already insecure. They also make a big point of a wrong configured jail makes the system very insecure, which scares me a bit from using their system as well.

The blog about linux vserver  wasn't complete, but it's a lot better then the linux vserver documentation only. Thanks!

After reading some of the posts in this forum, I'm afraid I'm just wasting my time securing a bastion host with Zenserver. A bastion host should be über secure, but if Zenwalk is only launching unofficial security advisories in the forum and not actually fixes, this might be a great problem. Maybe another distribution/OS would make a better choice for a bastion host?


Last edited by brebbesvik on Wed Feb 20, 2008 9:58 am, edited 1 time in total.

 Profile Send private message  
 
 Post subject: Re: Does Zenwalk/Zenserver have a sandbox security mechanism?
PostPosted: Thu Apr 03, 2008 6:01 am 
Master of the known universe
Master of the known universe
User avatar

Joined: Thu Mar 29, 2007 2:34 am
Posts: 1212
Location: Taiwan
Maybe this would suit you better:

http://user-mode-linux.sourceforge.net/


 Profile Send private message  
 
 Post subject: Re: Does Zenwalk/Zenserver have a sandbox security mechanism?
PostPosted: Fri May 16, 2008 6:48 am 
Master of the known universe
Master of the known universe
User avatar

Joined: Thu Mar 29, 2007 2:34 am
Posts: 1212
Location: Taiwan
I found a simpler and interesting "sandbox" environment software:

Plash
http://plash.beasts.org/wiki/


 Profile Send private message  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 5 posts ] 

All times are UTC


 Who is online

Users browsing this forum: No registered users and 0 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
 
cron