| 1 |
On 04/11/2010 21:56, pageexec@××××××××.hu wrote: |
| 2 |
> On 3 Nov 2010 at 18:24, Ed W wrote: |
| 3 |
> |
| 4 |
>> Up until now I have also been running kernels with the grsec patches, |
| 5 |
>> but merging those with linux-vserver is relatively complex since there |
| 6 |
>> is some overlap. Additionally it would appear that linux-vservers offer |
| 7 |
>> a large chunk of the protection that the grsec restrictions should |
| 8 |
>> offer. You loose the grsec RBAC system by going only PAX, but that |
| 9 |
>> doesn't quite work as expected with vservers, so I would think most |
| 10 |
>> users wouldn't implement that anyway |
| 11 |
> how about http://linux-vserver.org/Welcome_to_Linux-VServer.org ? ;) |
| 12 |
> |
| 13 |
|
| 14 |
Sorry to be dim, but I don't get it? That's just the front page of the |
| 15 |
vserver project? |
| 16 |
|
| 17 |
Is your point that the grsec+vserver patches are quite out of date? If |
| 18 |
so then yes I agree - that's really how this conversation has come |
| 19 |
about. At the moment they are produced by "Harry" who has decreased |
| 20 |
time to work on them. The suggestion is to perhaps to use only |
| 21 |
vserver+pax, which should be much easier (and timely) to merge? |
| 22 |
|
| 23 |
Oh, also that first sentence should actually ready "I have been running |
| 24 |
with vserver + grsec patches" - was that your point? |
| 25 |
|
| 26 |
The pax changes are largely independent of the vserver code. The grsec |
| 27 |
stuff has significant and subtle overlaps with the vserver stuff (which |
| 28 |
is basically a bunch of somewhat hardened chroots), and merging is non |
| 29 |
trivial. I think that whilst grsec is a great set of hardenings, there |
| 30 |
is a case that the cost of maintaining the merged patch could be argued |
| 31 |
to outweight the benefits? For example I would invite your opinion, but |
| 32 |
it would appear that most of the chroot protections in grsec are covered |
| 33 |
by the vserver patch (obviously only with regards to breaking out of the |
| 34 |
vserver, not other chroots). There are some other bits of grsec that |
| 35 |
would be desirable to keep, eg the increased entropy pool, kernel |
| 36 |
logging and perhaps the /proc restrictions, but I'm hoping these will be |
| 37 |
easy to pull out and add on to a pax+vserver base? |
| 38 |
|
| 39 |
How likely is it that the grsec team would maintain a reduced patch |
| 40 |
without the chroot bits and the other stuff that is hard to merge with |
| 41 |
vserver? Actually - how likely that the grsec team would enhance the |
| 42 |
RBAC to work inside a chroot such a lxc/vservers? |
| 43 |
|
| 44 |
|
| 45 |
|
| 46 |
Anyway, the above is the reasoning behind going (at least initially) |
| 47 |
with pax rather than full grsec. However, the more important part of |
| 48 |
the proposal was really the use of vservers (ie fancy chroots) to split |
| 49 |
a monolithic server up into basically a setup where you pretty much |
| 50 |
chroot every service into it's own vserver. It can be argued this can |
| 51 |
be done already using other tools, but lets just call vservers a fancy |
| 52 |
chroot with wrappers to more easily maintain a more "full on chroot" |
| 53 |
which looks 3/4 of the way to a virtualisation product. |
| 54 |
|
| 55 |
I'm not sure if it needs justifying further, but I find that a "fat |
| 56 |
chroot" such as vserver makes it easier to maintain because you can use |
| 57 |
your normal package tools to maintain the software. Arguably you can |
| 58 |
get lighter still with custom chroots, but I find the overheads pretty |
| 59 |
negligible for my setup and the maintenance is very straightforward |
| 60 |
(especially if you introduce some custom profiles) |
| 61 |
|
| 62 |
Basically the security comes from splitting up the services into their |
| 63 |
own containers (compromise of one shouldn't affect the others) rather |
| 64 |
than trying to harden a single machine to be unbreakable. It's |
| 65 |
particularly interesting for web apps where coding errors are common and |
| 66 |
easy to remotely exploit... |
| 67 |
|
| 68 |
|
| 69 |
I realise that you are part of the pax team so I'm a bit unsure what |
| 70 |
your question really was? Hopefully the above hits several of the |
| 71 |
things I think you might have meant? |
| 72 |
|
| 73 |
|
| 74 |
|
| 75 |
Cheers |
| 76 |
|
| 77 |
Ed W |
Archives