[ale] Anyone checked out Slackware 12 yet?

Michael B. Trausch michael.trausch at gmail.com
Wed Jul 4 10:52:03 EDT 2007


On Wed, 2007-07-04 at 08:15 -0400, Paul Cartwright wrote:

> not sure what you mean about BSD jails.. my openSUSE system acts just
> like my 
> old AT&T UNIX..
> I burned the slackware DVD, but haven't installed it yet, kinda busy
> right 
> now, getting ready for our trip to DC.. family gathering (YUCK).
> but I did install xfce 4.4.1 and I'm running that NOW as my window
> manager on 
> my SUSE system.. 


BSD systems (like FreeBSD, and I think OpenBSD) have a kernel-based jail
functionality that enables you to run completely separate, lightweight
virtual machines with their own spaces for networking, processes, etc.
They get their own view of the system, and uid 0 inside the jail is
meaningless outside the jail (unless you go out of your way to give it
some meaning in the outside system, too).  The only thing is that the
kernel running in the system is the kernel that manages the VM, so it's
not a complete VM (but that is also what makes it lightweight).  It's
really wonderful for sandboxing things that you don't trust.  chroot
does some, but not all of that; it just works on the filesystem level.
BSD jails restrict the world view all the way down to processes reported
by ps, enforce IP address bounds for jails, and so forth.  The only
thing that a BSD jail isn't useful for is testing a new release of BSD.

But it is wonderful to be able to run a sandboxed Internet-facing SSH
server in.  The only way that you can get out of that SSH server and
into the rest of the network is by again using SSH.  And even if that
sandboxed environment is broken into by root exploit, the break-in is
contained, which means you don't have to reinstall the operating system
outside of the jailed environment.  Just shut down the jail, remove any
ELF binaries and review any shell scripts, and then use the system
sources in /usr/src to reinstall the FreeBSD userland in the jail.  :-)

Granted, it is no excuse for lax security, and while I have never heard
of someone breaking out of a BSD jail, I am more than sure that it is at
least theoretically possible.  But, it is a mechanism that makes life
easier, allows you to separate servers running on the same machine from
each other, even hiding parts of the network from the jail if you want.
It really is useful.

There was a patch to Linux for similar functionality, but it went the
way of no maintainer, as I recall.  And that was quite some time ago,
too, I think.

    --- Mike

--
Michael B. Trausch
                                Web:
              http://www.trausch.us/
Phone: (404) 592-5746
                    Jabber IM/Email:
           michael.trausch at gmail.com
Demand Freedom!  Use open and free protocols, standards, and software!
Support free speech---it is the most valuable freedom we have!
-------------- next part --------------
An HTML attachment was scrubbed...

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part




More information about the Ale mailing list