The first stable OpenVZ release
Posted Dec 6, 2005 9:46 UTC (Tue) by dev
In reply to: The first stable OpenVZ release
Parent article: The first stable OpenVZ release
chroot/chuid is not a secure solution in many respects:
- you can easily make a DoS on memory/CPU/disk and other resources, which are out of control of ulimits.
In OpenVZ you control how many CPU/memory and disk space your VPS can consume.
- root can break chroot. So you can't give people root access under chroot. This also implies that you can't run many software which require root priviliges, can't listen on some port numbers etc.
- root can break chroot. This also implies, that if a hacker has accessed your system being under chroot() and is able to gain root privileges (which is not a hard problem due to SUID apps and security problems in modern software) he will be able to get out of chroot.
2 last points are not applicable to OpenVZ: you have root privileges in VPS, you can run any application you wish and it is imposible to get out of VPS due to enhanced security model and lots of preventive countermeasures which are created just to be sure that no harm can be done.
to post comments)