| View previous topic :: View next topic |
| Author |
Message |
Klavs
Guru
Joined: 22 May 2002
Posts: 536
Location: Denmark
|
 Posted: Fri Oct 04, 2002 6:40 pm Post subject: increasing Gentoo security with vserver |
 |
|
I was thinking that Gentoo would benefit greatly by adding vserver to the kernel (or make a vserver+crypt-sources and vserver+gentoo-sources kernel) - if you don't know vserver, it's a virtual server solution for Linux - that resembles the *BSD jail - but is in my opinion a better solution - it has no performance impact on the kernel - but still enables you to run each of your network services on a seperate "server" - without wasting disk space - and thus keeping a hacked apache - from giving the hacker access to your entire system. and with the ext2/3 attributes like f.ex. immutable - one could easily lock down the box, so hackers wouldn't be able to change any files.
In short a really good improvement over security - especially in these times, where the security problems and worms - emerges earlier and earlier.
Best regards
Klavs Klavsen
_________________
Best regards,
Klavs Klavsen
Denmark
Working with Unix is like wrestling a worthy opponent.
Working with windows is like attacking a small whining child
who is carrying a .38. |
|
| Back to top |
|
 |
cmolina
n00b
Joined: 05 Feb 2003
Posts: 4
Location: Santa Cruz de Tenerife - España
|
| Posted: Thu Apr 24, 2003 2:18 am Post subject: Re: increasing Gentoo security with vserver |
|
|
| Klavs wrote: | I was thinking that Gentoo would benefit greatly by adding vserver to the kernel (or make a vserver+crypt-sources and vserver+gentoo-sources kernel) - if you don't know vserver, it's a virtual server solution for Linux - that resembles the *BSD jail - but is in my opinion a better solution - it has no performance impact on the kernel - but still enables you to run each of your network services on a seperate "server" - without wasting disk space - and thus keeping a hacked apache - from giving the hacker access to your entire system. and with the ext2/3 attributes like f.ex. immutable - one could easily lock down the box, so hackers wouldn't be able to change any files.
In short a really good improvement over security - especially in these times, where the security problems and worms - emerges earlier and earlier.
Best regards
Klavs Klavsen |
I installed succesfully vserver (wolk kernel) on a gentoo server. The main issue that I fond is that the vserver user tools (vserver scripts) from vserver web site, are fully for RedHat. Indeed, it requires linuxconf (???).
Now, I know that I can make a vserver manually, but it is a lot of work set networking, set the config files, etc etc etc...
Anybody had "gentoonized" the vserver scripts to create, maintain and administer vservers..??
I can start this ebuild, but it is some work, because it should make some task.
Anybody wants to share with me this task..??
Thanks a lot
Carlos |
|
| Back to top |
|
|
Klavs
Guru
Joined: 22 May 2002
Posts: 536
Location: Denmark
|
| Posted: Mon Apr 28, 2003 9:38 am Post subject: |
|
|
Me and another guy called Georges from the vserver list was thinking of making a vserver skel-ebuild.
it's not very hard.
If you use the vserver-0.2.2.ebuild file I made (it's in bugs.gentoo.org) then you'll only have to set a std.config file + S_START="/sbin/rc default" & S_STOP="/sbin/rc shutdown" (tells the vserver script to use this instead of the default RH init system to control the server - and then you just have to
make a small /etc/init.d/dummy-service - that does nothing - and hardlink all the services that won't work in vserver ( net, clock etc. etc.) to it - this way it'll work as a normal vserver.
p.s. Consider using chattr +i <files-that-has-been-hardlinked-to-dummy-service> so an upgrade of some program doesn't accidently overwrite them 
_________________
Best regards,
Klavs Klavsen
Denmark
Working with Unix is like wrestling a worthy opponent.
Working with windows is like attacking a small whining child
who is carrying a .38. |
|
| Back to top |
|
|
Lovechild
Advocate
Joined: 17 May 2002
Posts: 2858
Location: Århus, Denmark
|
| Posted: Mon Apr 28, 2003 10:39 am Post subject: |
|
|
| so vserver is like UML ? |
|
| Back to top |
|
|
Klavs
Guru
Joined: 22 May 2002
Posts: 536
Location: Denmark
|
| Posted: Mon Apr 28, 2003 10:56 am Post subject: |
|
|
Well actually no.
it's a virtual machine - but it uses chroot - so it's more like FreeBSD's Jail - in that it doesn't reserve memory (and thus waste it if it's not fully used) for each vserver - and there's also no overhead in running vserver - as oppose to UML which is quite expensive (20-30% overhead I believe).
I've made presenatation of it once - see it here (in Danish - non-Danish speaking can read the docs on www.solucorp.qc.ca/miscprj/s_context.hc ) http://vsen.dk/vserver-pres-sslug
_________________
Best regards,
Klavs Klavsen
Denmark
Working with Unix is like wrestling a worthy opponent.
Working with windows is like attacking a small whining child
who is carrying a .38. |
|
| Back to top |
|
|
|
Gentoo Chat
