[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: using sarge on production machines

>>>>> "Marc" == Marc Haber <mh+debian-security@zugschlus.de> writes:

    Marc> Nice idea. However, if somebody roots one of the UML
    Marc> installation, that somebody can probably escape out of the
    Marc> UML and gain user privileges on the host system and then use
    Marc> one of the numerous kernel vulnerabilities (I have long lost
    Marc> track of them) to escalate to root on the host system.

    Marc> I am quite sceptical about using UML to allow security flaws
    Marc> in UMLled system components.

How pray tell do they do that ? A minimal UML chroot requires one file
- the user mode linux binary. Check out the following :-


which discusses how UML can help with security and mentions
chroot. Since this paper was written many people have used chrooted
UMLs with great success.

And just because one wants to use newer versions of packages on
another "machine" (in theis case a virtual machine) doesn't mean that
the physical host is left running old versions of packages with
security holes in it. The original poster never mentioned leaving the
machine unsecured.


Adrian Phillips

Who really wrote the works of William Shakespeare ?

Reply to: