Announcement

Collapse
No announcement yet.

Microsoft Security Researcher Proposes Unprivileged Chroot For Linux

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #11
    Thtlat seems sensible and useful.

    Comment


    • #12
      If this patch successfully adds the functionality without opening up new vulnerabilities, I might actually have to admit that Microsoft did something useful for me in Linux. But the pessimist in me says that this is likely going to open up new privilege escalation problems, so will either be rejected outright or end up being a black eye later.

      Comment


      • #13
        Originally posted by tildearrow View Post
        Every thread with "Microsoft" on it:

        *looks at comments*

        ​​*EEE-related comment*
        I'm willing to die on the "Microsoft will abuse their Secureboot power" hill.

        Comment


        • #14
          OpenBSD has ran processes inside chroot for years in the name of security and FreeBSD developed chroot jails to simplify the process and webservers are routinely ran inside jails on that platform. Nothing to see here other than Linux catching up to the *BSDs for once instead of the other way around as is often the case.

          Comment


          • #15
            kylew77

            It seems you forgot about LXC.

            Comment


            • #16
              Originally posted by Volta View Post
              kylew77

              It seems you forgot about LXC.
              Indeed had to google that it does look like a good jail substitute! Uses a single Linux kernel and is not a full OS virtualization. Very cool.

              Comment


              • #17
                I know it's another completely different beast, but we already have root-less Podman containers....

                Comment


                • #18
                  Originally posted by macemoneta View Post

                  Sure, but only when root operations are intercepted. The rest of the time, performance isn't impacted.
                  Unless they combine it with other hacks, the ptracer needs to be notified of and handle every single syscall, resulting in overhead for all syscalls.

                  Comment


                  • #19
                    Originally posted by kylew77 View Post
                    OpenBSD has ran processes inside chroot for years in the name of security and FreeBSD developed chroot jails to simplify the process and webservers are routinely ran inside jails on that platform. Nothing to see here other than Linux catching up to the *BSDs for once instead of the other way around as is often the case.
                    Chroot/Jail/whatever is an overkill if you can use namespaces instead no need for having that overhead. Also daemons should not run as root in the first place.

                    Comment


                    • #20
                      Ok so someone explain why “rootless” cheroot is better that just using rootless pod an or Linux containers?

                      Comment

                      Working...
                      X