Re: [User-mode-linux-user] security ??

SourceForge Headquarters 1320 Columbia Street Suite 310 San Diego, CA 92101 +1 (858) 422-6466

On Tue, 14 Mar 2000, Jon Bendtsen wrote:

> how secure is usermode linux ??

	In the sense that the uml environment cleanly partitions
applications, it adds a lovely level of security for untrusted apps.  
It's essentially a software sandbox; a safe place to play with untrusted
apps.  I plan to write an article for LinuxMonth expanding on that idea
and showing how to do it.
	The fact that (with a few current minor quirks) uml can be run as
a non-root user in the host OS means that even if the entire uml could be
somehow compromised (and even that's a real stretch for me), one could
still not use it to directly gain root in the host OS.

> i was thinking at using it to implement a virtual linux for each and every
> service my computer runs, and then have the actualy linux at the computer
> to run backups and checking the log files to see what happens.

	A nice idea, with a few considerations.  I hope others will chime
in with their ideas too:

	UML appears to have somewhat of a performance overhead that I'm
sure Jeff is working on.  Networking can have noticeable delays, I believe
I remember reading that when a disk sector is being requested, the rest of
uml is held up (please clarify, Jeff; it's a hazy memory), and the idle
thread tends to soak up a lot of CPU time (although it's not clear whether
that truly has any effect on either uml or the host).  Granted, my only
testing has been on a machine with a slow CPU and very little memory;
others may find that it flies!
	For that reason, I'd suggest that a good half-way point might be
to run all daemons that need to be run as root in a uml.

	The ultimate way to accomplish this would be to have all a shared,
read-only filesystem with all the files that no-one needs to write to and
a much smaller writeable root with symlinks for directories and writeable
/var, /tmp, /etc, etc. directories.  Each uml mounts its own writeable
root and this shared space.  The local root filesystem could include just
the locally run daemons.
	It would take quite a bit of work to do correctly, but it would be
a fun project.
	Jeff - if the file on the host OS is read-only for the user
running UML, can I mount it read-only in UML?  That would seem like a
reasonably secure way of making sure none of the umls can corrupt or
modify the shared filespace.

	Cheers,
	- Bill

---------------------------------------------------------------------------
	Having Microsoft give us advice on open standards is like W.C. Fields 
giving moral advice to the Mormon Tabernacle Choir
	-- Scott McNealy, Sun Microsystems Inc.
(Courtesy of Michael Remski <mr...@ix...>)
--------------------------------------------------------------------------
William Stearns (wst...@po...).  Mason, Buildkernel, named2hosts, 
and ipfwadm2ipchains are at:                http://www.pobox.com/~wstearns
LinuxMonth; articles for Linux Enthusiasts! http://www.linuxmonth.com
--------------------------------------------------------------------------