"User Mode Linux allows you to run Linux kernels as user mode processes under a host Linux kernel, giving you a simple way to run several independent virtual machines on a single piece of physical hardware. Let's take a look at UML and how it can give you more bang for the hardware buck, or make it easier to debug the kernel."
To read all comments associated with this story, please click here.
Member since:2007-01-12
I had the same idea. Step one is to build a minimal rootfs/chroot environment. A lot of that is done with symlinks into the outside filesystem, for example /usr/bin, so it will not "waste a lot of disk space". Also, you don't need as many libraries, applications, etc. to run selected applications like Firefox.
One also has to symlink some X11 Unix domain sockets (located in /tmp) into your chroot environment so that X applications can be launched. One may have to allow connections to the X server from the chroot environment, which may seem to be a "external machine" (xhost +127.0.0.1).
What UML adds over and above the chroot protection is the ability to capture an attempt to remount, for example, /dev/hda1 in order to break out of the chroot jail. So, the chroot environment built in step 1 is the input to step 2 where you run the same rootfs in UML. I ran Firefox, Opera, etc. in a chroot so I feel like with this could be done with a few hours of learning UML configuration.
You are correct that the security of $HOME is a neglected topic; sometimes attacks are launched to get the information in $HOME and not to try to "own" the box. This does go against the dogma that no one cares what happens to a users directory/information on a *NIX box.
Member since:2005-12-02
"You are correct that the security of $HOME is a neglected topic; sometimes attacks are launched to get the information in $HOME and not to try to "own" the box. This does go against the dogma that no one cares what happens to a users directory/information on a *NIX box."
Well said. The users directory is the most important part of the box, since that is where the data is. Unfortunately very few people seem to understand that. Owning the box is bad, but the loss of data is much worse. On the other hand, if someone owns the box they can compromise ALL of the home directories, instead of possibly just that of the 1 user that does something stupid.
Member since:
2006-02-06
I am no expert in virtualization and emulation, so I'd like to ask something:
Can this be used to insulate a potentially dangerous application like a web browser or any other network based application in a diferent virtual machine, and then run them side by side, the host holding the local documents and projects and most work the user has, with the emulated virtual system executing everything web-related (browsers, im and all that stuff) ?
I don't know if it would be feasible, since it would probably waste a lot of disk space and memory running things like this but... is it possible ?