Subject: Re: replace chroot() with a chroot overlay file system?
To: Elad Efrat <elad@netbsd.org>
From: Brett Lymn <blymn@baesystems.com.au>
List: tech-security
Date: 11/07/2005 10:27:31
On Sun, Nov 06, 2005 at 05:03:24PM +0200, Elad Efrat wrote:
>
> He will, along with the code he'll send us when he finishes it.
>
That would be cool.
> Basically, it's another one of those marketing solutions that pretend
> to be related to security; just like chroot, jail, etc..
>
I have not seen much security related marketing done with zones.
Zones in Solaris are a combination of Solaris containers and resource
management. Solaris containers are a method of partitioning the
machine up using software - the partitioning seems to be done at the
syscall level, the machines share the same kernel but can only see
their own processes. The containers have their own root file system
that is chrooted somewhere on the host machine's filesystem, there are
varying levels of independence you can have when you set up the
container root fs (depends on how much disk space you want to blow on
the instance). The containers can be stopped/started/rebooted
independently of the host machine.
The other piece of the equation is the resource management which
allows you to bind resource limits to a container so the container can
only use a certain amount of cpu/memory/whatever. The combination of
this resource control with the container is called a Zone.
I wouldn't be comfortable using zones to control a security critical
set up, the stuff is too new to me to be comfortable with doing that
but I have used zones to consolidate machines running applications
that won't play nicely together on a single machine onto a single
machine running multiple zones.
--
Brett Lymn