1 |
On 04/11/2010 21:56, pageexec@××××××××.hu wrote: |
2 |
> On 3 Nov 2010 at 18:24, Ed W wrote: |
3 |
> |
4 |
>> Up until now I have also been running kernels with the grsec patches, |
5 |
>> but merging those with linux-vserver is relatively complex since there |
6 |
>> is some overlap. Additionally it would appear that linux-vservers offer |
7 |
>> a large chunk of the protection that the grsec restrictions should |
8 |
>> offer. You loose the grsec RBAC system by going only PAX, but that |
9 |
>> doesn't quite work as expected with vservers, so I would think most |
10 |
>> users wouldn't implement that anyway |
11 |
> how about http://linux-vserver.org/Welcome_to_Linux-VServer.org ? ;) |
12 |
> |
13 |
|
14 |
Sorry to be dim, but I don't get it? That's just the front page of the |
15 |
vserver project? |
16 |
|
17 |
Is your point that the grsec+vserver patches are quite out of date? If |
18 |
so then yes I agree - that's really how this conversation has come |
19 |
about. At the moment they are produced by "Harry" who has decreased |
20 |
time to work on them. The suggestion is to perhaps to use only |
21 |
vserver+pax, which should be much easier (and timely) to merge? |
22 |
|
23 |
Oh, also that first sentence should actually ready "I have been running |
24 |
with vserver + grsec patches" - was that your point? |
25 |
|
26 |
The pax changes are largely independent of the vserver code. The grsec |
27 |
stuff has significant and subtle overlaps with the vserver stuff (which |
28 |
is basically a bunch of somewhat hardened chroots), and merging is non |
29 |
trivial. I think that whilst grsec is a great set of hardenings, there |
30 |
is a case that the cost of maintaining the merged patch could be argued |
31 |
to outweight the benefits? For example I would invite your opinion, but |
32 |
it would appear that most of the chroot protections in grsec are covered |
33 |
by the vserver patch (obviously only with regards to breaking out of the |
34 |
vserver, not other chroots). There are some other bits of grsec that |
35 |
would be desirable to keep, eg the increased entropy pool, kernel |
36 |
logging and perhaps the /proc restrictions, but I'm hoping these will be |
37 |
easy to pull out and add on to a pax+vserver base? |
38 |
|
39 |
How likely is it that the grsec team would maintain a reduced patch |
40 |
without the chroot bits and the other stuff that is hard to merge with |
41 |
vserver? Actually - how likely that the grsec team would enhance the |
42 |
RBAC to work inside a chroot such a lxc/vservers? |
43 |
|
44 |
|
45 |
|
46 |
Anyway, the above is the reasoning behind going (at least initially) |
47 |
with pax rather than full grsec. However, the more important part of |
48 |
the proposal was really the use of vservers (ie fancy chroots) to split |
49 |
a monolithic server up into basically a setup where you pretty much |
50 |
chroot every service into it's own vserver. It can be argued this can |
51 |
be done already using other tools, but lets just call vservers a fancy |
52 |
chroot with wrappers to more easily maintain a more "full on chroot" |
53 |
which looks 3/4 of the way to a virtualisation product. |
54 |
|
55 |
I'm not sure if it needs justifying further, but I find that a "fat |
56 |
chroot" such as vserver makes it easier to maintain because you can use |
57 |
your normal package tools to maintain the software. Arguably you can |
58 |
get lighter still with custom chroots, but I find the overheads pretty |
59 |
negligible for my setup and the maintenance is very straightforward |
60 |
(especially if you introduce some custom profiles) |
61 |
|
62 |
Basically the security comes from splitting up the services into their |
63 |
own containers (compromise of one shouldn't affect the others) rather |
64 |
than trying to harden a single machine to be unbreakable. It's |
65 |
particularly interesting for web apps where coding errors are common and |
66 |
easy to remotely exploit... |
67 |
|
68 |
|
69 |
I realise that you are part of the pax team so I'm a bit unsure what |
70 |
your question really was? Hopefully the above hits several of the |
71 |
things I think you might have meant? |
72 |
|
73 |
|
74 |
|
75 |
Cheers |
76 |
|
77 |
Ed W |