>>>>> "CC" == Colin Cashman <[EMAIL PROTECTED]> writes:
>> No. chroot is not safe enough. I want to create virtual boxes in which >> I can give root rights to other people and I want to be sure that they >> can't break other boxes. >> >> AGAIK if you have root you can escape chroot'ed directory. Another >> problems that root can have direct access to devices. I don't want to >> allow it. Good solution is really independant virtual boxes which are >> run from one real. This is what FreeBSD's jails provides. User-mode >> linux kernel seems to allow it too but I'm not sure how stable is it >> and if there are exist any limitations. CC> I just found a page that might contain what you are looking for: CC> http://www.gnu.org/directory/vsd.html CC> "VSD - Facilitates Linux Virtual Servers within a 'chroot' CC> environment." Yes, I've seen it and simular solutions. The problem is that as I have wrote 'chroot is not safe enough'. It is not possible to give root rights to people in chroot'ed environment if you don't want to trust them. BTW except problems with direct access to devices and possibility to escape chroot by root there is exist another problem (for me) with chroot. Chroot only allows isolations of boxes at filesystem level. For example you can't have two mailservers running at the same time - first in first virtual box, second in another. At least you can't do it unless you configure them to listen on different interfaces. (BTW is it possible to create several loopback interfaces - I think no). Let me describe my needs. 1) I want to build testing and development envronment for developers in my company. Thereis several developers who works on different project. Often it is much more easier to give developers root access then try to fune tune sceurity system on development servers so they will be able to install/configure software there. So I want to just create several virtual boxes and give there freely root access. So I can be sure than one group of developers can't break things for another group. 2) Another task is building automated tests for our software. One product our developers work on is maillist software. For creation of automated tests for this software it is *required* to have several boxes. If I just can create a bunch of virtual boxes it will be very usefull. Combining 1) and 2) gives need for independant virtual boxes. 'chroot' is not good enough. CC> [..skip..] -- Ilya Martynov AGAVA Software Company, http://www.agava.com