gpg: failed to create temporary file '/var/lib/lurker/.#lk0x585d1100.hantslug.org.uk.20064': Permission denied
gpg: keyblock resource '/var/lib/lurker/pubring.gpg': Permission denied
gpg: Signature made Tue Jul 28 12:06:52 2009 BST
gpg: using DSA key 20ACB3BE515C238D
gpg: Can't check signature: No public key
On Tue, Jul 28, 2009 at 11:56:52AM +0100, James Courtier-Dutton wrote:
> All I wish to run is a DNS bind server and an Apache J2EE application server.
> What real benefits will a virtual machine have over a chroot environment.
> I am on the side that says that chroot should be good enough.
> chroot makes much more effective use of filespace between multiple
> chroot environments.
As long as neither application is running as root, a chroot should
be sufficient. However, once you have something running as root inside
a chroot, it's trivial for it to break out of the chroot. (I forget
the exact mechanism, but I think it's about two commands to do it, and
is expected and designed behaviour).
You will also need to place limits on filesystem usage for the
chroot users (quotas, or a separate filesystem for the chroot), as if
they're cracked, the attacker could DoS by filling up the filesystem.
Finally, if you use a chroot, you're still vulnerable to a
combination of remote exploit to get into the chroot in the first
place, and then a local root exploit to get out of it into the main
system.
None of the above issues applies (so much) to a VM environment.
Hugo.
--
=== Hugo Mills: hugo@... carfax.org.uk | darksatanic.net | lug.org.uk ===
PGP key: 515C238D from wwwkeys.eu.pgp.net or http://www.carfax.org.uk
--- Great oxymorons of the world, no. 8: The Latest ---
In Proven Technology