Re: using sarge on production machines

To: Marc Haber <mh+debian-security@zugschlus.de>, harry@uklug.co.uk
Cc: debian-security@lists.debian.org
Subject: Re: using sarge on production machines
From: Harry <postituk@yahoo.com>
Date: Fri, 18 Feb 2005 04:56:51 -0800 (PST)
Message-id: <[🔎] 20050218125652.97697.qmail@web50405.mail.yahoo.com>
Reply-to: harry@uklug.co.uk
In-reply-to: <[🔎] 20050218124448.GJ24763@torres.l21.ma.zugschlus.de>

--- Marc Haber <mh+debian-security@zugschlus.de> wrote:
> Nice idea. However, if somebody roots one of the UML installation,
> that somebody can probably escape out of the UML and gain user
> privileges on the host system and then use one of the numerous kernel
> vulnerabilities (I have long lost track of them) to escalate to root
> on the host system.

I can't guarantee 100% security but I can make it harder for someone to
do it, its a trade off.

As for gaining user rights on the host. Each user has passwords
disabled and is in a chroot jail. The kernel is statically linked so
there are 2 files in the jail, the kernel and the filesystem. 

It might not be bullet but then I have yet to hear of anything that is.

> I am quite sceptical about using UML to allow security flaws in
> UMLled system components. 

Thats not what I am doing, I offer UML accounts because people want
root on a machine. I am certainly not about to give them all root on
the host.

Harry

__________________________________ 
Do you Yahoo!? 
Meet the all-new My Yahoo! - Try it today! 
http://my.yahoo.com

Reply to:

References:
- Re: using sarge on production machines
  - From: Marc Haber <mh+debian-security@zugschlus.de>

Prev by Date: Re: Kernel security advice
Next by Date: Re: using sarge on production machines
Previous by thread: Re: using sarge on production machines
Next by thread: Re: using sarge on production machines
Index(es):
- Date
- Thread