About this list Date view Thread view Subject view Author view Attachment view

From: klavs klavsen (kl_at_vsen.dk)
Date: Thu 14 Feb 2002 - 13:50:08 GMT


I saw on the preliminary mailinglist archive, that lsm.immunix.org has
been discussed as a addon to the vserver kernel.patch.

I couldn't find the lsm mentioned on www.immunix.org, only stackguard,
subdomain and such.

I was wondering what your ideas is with this, if any?

SubDomain for instance, could perhaps solve the issue of secure chroot
within vserver? if vserver doesn not already support it somehow.

wonder how SubDomain handles file-sharing between two apps - like the
maildirs in my example.

Thank you, for your already greatly appreciated input.

I was thinking of taking my questions, and adding them to the FAQ or
writing my own.. to give people with the curiosity like me, some more
answers to their questions.. this would also help show exactly what
usage the vserver patch enables. The mailinglist archive will be a great
help.

On Thu, 2002-02-14 at 14:25, klavs klavsen wrote:
> Hi guys,
>
> I need to install and maintain 6 kind of servers.
>
> 1, with samba and openldap, 1 with Postfix, courier-imap, OpenLdap and
> Apache and so forth.
>
> what i wanted to do, is to have them all installed on 1 physical
> machine, under each vserver.
>
> I was thinking, that it would be a good idea to chroot each service on
> each server, so that a vulnerability in one, doesn't put the other
> services on that machine in danger. Unfortunately chroot is not safe
> (see earlier mail on this list).
>
> I've read the docs on the site, but it's not really clear to me if can
> do this, and how this compares to doing the same with chroot (except for
> the fact that chroot is not safe and vserver is :-)
>
> My questions therefore are these:
>
> Can I "chroot" each service on each vserver - without having to create a
> new vserver (with a new IP) for each service?
>
> In the case of postfix and courier-imap can two "chroot" jails share the
> same files (the maildir)?
>
> A final question, if I install ssh on each vserver - and the services
> are chrooted - will the ssh-users still be able to configure them? -
> they would with a normal chroot, so that shouldn't be a problem?
>
> --
> Regards,
> Klavs Klavsen
>
> -------------| This mail has been sent to you by: |------------
> Klavs Klavsen - OpenSource Consultant
> kl_at_vsen.dk - http://www.vsen.dk
>
> Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA
> Fingerprint = A95E B57B 3CE0 9131 9D15 94DA E1CD 641E 586D 5BCA
> --------------------[ I believe that... ]-----------------------
> It is a myth that people resist change. People resist what other
> people make them do, not what they themselves choose to do...
> That's why companies that innovate successfully year after year
> seek their peopl's ideas, let them initiate new projects and
> encourage more experiments. -- Rosabeth Moss Kanter
>

-- 
Regards,
Klavs Klavsen

-------------| This mail has been sent to you by: |------------ Klavs Klavsen - OpenSource Consultant kl_at_vsen.dk - http://www.vsen.dk

Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = A95E B57B 3CE0 9131 9D15 94DA E1CD 641E 586D 5BCA --------------------[ I believe that... ]----------------------- It is a myth that people resist change. People resist what other people make them do, not what they themselves choose to do... That's why companies that innovate successfully year after year seek their peopl's ideas, let them initiate new projects and encourage more experiments. -- Rosabeth Moss Kanter



About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 06 Nov 2002 - 07:03:39 GMT by hypermail 2.1.3