Slashdot Mirror
Introduction to User-Mode Linux
developerWorks writes "Ever wish you had a place to let your Linux applications play -- where they wouldn't hurt anything else? Do your killer apps spend too much time killing each other? Originally conceived as a kernel developer's tool, UML lets you set up multiple virtual machines that are isolated from each other and from the hardware. Now, you can test applications all the way to failure without breaking the host system -- or even requiring a reboot. Veteran administrator Carla Schroder shows you how in this tutorial."
How can a tutorial that requires registration get accepted?
Before someone starts modeling OOP with this tool, they should get a new acronym. Why is it so hard to think of something original?
--I bookmarked the page and will check it out later. Right now it won't display properly for me, but I'll try it again.
Yes, what you said, something like that. There's no real reason that the "core" install needs to have access to the net, when a virtual system can take the chances, and still "do the work". It makes by far the best sense to me yet of all the various security schema. It would also make upgrading better as you wouldn't be afraid of hosing your mission critical stuff while it's running.
--the only thing I've done along these lines is to have a "spare" old hard drive with a basic system installed, that isn't plugged in to anything, but it's mounted in the drive bay. If I get a bad fubar, I'll more or less know what the last thing that happened was, so with the spare drive installed I can avoid that problem whatever it was before going online. But ya, it would sucketh to lose all the data and updates. I don't trust my level of expertise to make a backup dump or raid system all that valuable, as more or less I am as likely to just "backup" the virus or trojan should it become installed. I'm just a casual home user, not having to defend expensive server farms, etc, so the requirements aren't as great, but it still would be nice to have an easier to use method that what's available now, which is to become a security guru in your spare time. A virtual system that ran completely in a jail would be a good idea. I tried knoppix but it has some features I don't like (primarily I'm a gnome not a kde guy) and I couldn't make it dial out), but still, it's a step in the right direction and it ran surprisingly fast, much faster than I thought it would.
To get back to the subject, YES, an additional layer of "permissions" to access the system. Two stage isn't enough, you should be able to do an instant "create on demand" full system, use it for a session then trash it, thereby eliminating anything nasty that might have occurred to you, and that temporary system could be an additional step-->out away from the actual root or user level. There should be a "this is vulnerable being online so it can't do much and nothing permanent without jumping through hoops" temp-user level. A temporary trip wire action would help, and then the system would force you to go offline and compare audits before anything was 'saved' to the disk in either a users directory or at root level. It would be saved in the virtual OSs ram cache or on swap (a "virtual swap" inside the real swap as well?), examined, if it passes, THEN it can slide downhill into normal user-space. And the box needs it's own built in battery to keep ram cache intact in case of catstrophic outside failure, so that very important but still unexamined data is not lost. I've had UPSs fail, but when a laptop was plugged in, it didn't matter, I didn't lose anything or suffer file system damage, the built in battery concept is ideal for this, and I have no idea why it isn't just common on desktops as well. They are already big and heavy, a small battery is not that much more weight or space.