Re: using sarge on production machines
>>>>> "Marc" == Marc Haber <mh+debian-security@zugschlus.de> writes:
Marc> Nice idea. However, if somebody roots one of the UML
Marc> installation, that somebody can probably escape out of the
Marc> UML and gain user privileges on the host system and then use
Marc> one of the numerous kernel vulnerabilities (I have long lost
Marc> track of them) to escalate to root on the host system.
Marc> I am quite sceptical about using UML to allow security flaws
Marc> in UMLled system components.
How pray tell do they do that ? A minimal UML chroot requires one file
- the user mode linux binary. Check out the following :-
http://user-mode-linux.sourceforge.net/slides/ists2002/umlsec.htm
which discusses how UML can help with security and mentions
chroot. Since this paper was written many people have used chrooted
UMLs with great success.
And just because one wants to use newer versions of packages on
another "machine" (in theis case a virtual machine) doesn't mean that
the physical host is left running old versions of packages with
security holes in it. The original poster never mentioned leaving the
machine unsecured.
Sincerely,
Adrian Phillips
--
Who really wrote the works of William Shakespeare ?
http://www.pbs.org/wgbh/pages/frontline/shakespeare/
Reply to: