Re: [uml-devel] Bug report

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

Hello!

Matt Zimmerman wrote:
> 
> 
> So does any other method of chrooting UML, unless the UML binary itself and
> all auxiliary files are also inside the chroot (leading to an escape from
> UML if the user can manage to modify the on-disk UML executable).  If the
> idea is to keep the user contained, the chroot should be as empty as
> possible.
> 

I keep everything inside the chroot owned by another user. The file 
containing the filesystem is mode 666 (rw-rw-rw-) so that the filesystem 
is read-write. The tmpfs filesystem shoulf have limited inodes, too.

If you want to harden your setup you should take a look at some of the 
security patches out there (grsecurity for instance) and the methods 
they provide to restrict processes and users.

Regards,
Nuno Silva