|
Changing Root Directory: chroot()
The chroot() system call has been with UNIX since at least Version 7 (released in 1979).
As its name implies, chroot() changes the root directory of the calling process.
Once a running process executes chroot ("/home /jail"), /home/jail becomes "/," and for all
intents and purposes, every file and directory outside of /home/jail
(including the true root directory and true /home directory) no longer exist.
In effect, chroot() provides a UNIX-inside-of-UNIX environment -- a kind of "jail" where a
process can be restricted to an arbitrary portion of the filesystem.
Jails provide "security by default" for untrusted software: even if the software proves
to be insecure in ways not anticipated, the jail (which is enforced by the operating system,
not the program) dramatically limits the damage that can be done.
Indeed, a jail should provide only a bare minimum of facilities,
thereby limiting the potential
for damage even further.
New System Calls: Context Support
The new system calls, as well as the existing chroot() system call, are sharing one common
feature: Their effect can't be reversed. Once you have executed one of those system call,
you can't get back. This affects the current process and all the child processes.
The parent process is not influenced.
Contexts are the heart of the vserver idea. Contexts protect vservers from each other.
A process running in a particular context can see only processes in the same context,
can use only the IP address allowed to that context, uses files which belong only to that context.
That provides quota support within virtual servers and thus enables to know disk usage on them.
VPS Architecture
The virtual private server model consists of two main parts:
Read more on these components in the corresponding documentation.
|
