Paranoid Penguin - Running Network Services under User-Mode Linux, Part III
If you patched your UML host's kernel with the SKAS patch, you've already got reasonably good assurance that an attacker who compromises a UML guest won't be able to do much, if anything, on the host system. However, I'm not one to argue against paranoia, so I also recommend you chroot your UML guest system. This is described in detail on the UML Wiki (see Resources). And, what about shell access to your UML guests? There are various ways to access “local consoles”. You get one automatically when you start your UML guest from a UML host shell manually—after your UML kernel loads, you'll be presented with a login prompt.
That doesn't do you much good if you start your UML guest automatically from a script, however. The “Device Inputs” page on the User-Mode Linux home page (see Resources) describes how to map UML guest virtual serial lines to UML host consoles. For me, however, it's easiest simply to install SSH on my UML guest system, configure and start its SSH dæmon, and create a firewall rule that allows connections to it only from my UML host.
Generally speaking, you want to use the same security controls and tools on your UML guest (tripwire, chrooted applications, SELinux, tcpwrappers and so on) as you would on any other bastion server.
Describing in detail the process of building your own root filesystem image from scratch would require its own article (one which I may yet write). Suffice it to say, the process is all but identical to that of creating your own bootable Linux CD or DVD, without the final step of burning your image file to some portable medium. There are three major steps:
Create an empty filesystem image file with dd.
Format the image file.
Mount it to a directory via loopback.
Install Linux into it.
The first three steps are the easiest. To create a 1GB ext3 image file, I'd run the commands shown in Listing 3 as root.
Listing 3. Making and Mounting an Empty Filesystem Image
dd if=/dev/zero of=./mydebroot bs=1024K count=1000 mkfs.ext3 ./mydebroot mkdir /mnt/debian mount -o loop ./mydebroot /mnt/debian
Installing Linux into this directory gets a bit more involved, but if you've got a SUSE host system, the Software module in YaST includes a wizard called “Installation into Directory”. Like other YaST modules, this is an easy-to-use GUI.
Similarly, if you run Debian, you can use the command debootstrap. See Michael McCabe and Demetrios Dimatos' handy article “Installing User Mode Linux” for detailed instructions on using debootstrap to populate your root filesystem image.
See the UML Wiki for some pointers to similar utilities in other distributions. The Linux Bootdisk HOWTO (see Resources), although not specific to UML, is also useful.
I hope you're well on your way to building your own virtual network servers using User-Mode Linux! The two most important sources of UML information are the UML home page and the UML Wiki (see Resources). Those and the other Web sites mentioned in this piece should help you go much further with User-Mode Linux than I can take you in an introductory series of articles like this. Have fun, and be safe!
Resources for this article: /article/9457.
Mick Bauer (firstname.lastname@example.org) is Network Security Architect for one of the US's largest banks. He is the author of the O'Reilly book Linux Server Security, 2nd edition (formerly called Building Secure Servers With Linux), an occasional presenter at information security conferences and composer of the “Network Engineering Polka”.
- Picking Out the Nouns
- Tips for Optimizing Linux Memory Usage
- "No Reboot" Kernel Patching - And Why You Should Care
- DevOps: Better Than the Sum of Its Parts
- Return of the Mac
- Android Candy: Intercoms
- Drupageddon: SQL Injection, Database Abstraction and Hundreds of Thousands of Web Sites
- Non-Linux FOSS: .NET?
- New GeekGuide: Beyond Cron