[nycbug-talk] shared hosting

Marc Spitzer mspitzer
Fri Jan 28 00:35:01 EST 2005


On Thu, 27 Jan 2005 23:44:27 -0500 (EST), alex at pilosoft.com
<alex at pilosoft.com> wrote:
> 
> Oh, and go count how many BSD' completely *distinct* userspaces are out
> there compared to linux. (Hint: fbsd, obsd, netbsd at least. I don't know
> how many other splinters appeared last year, picobsd, dragonfly etc who
> all have *different* userspaces). At least with linux, everyone sticks to
> the original package source.

Actually the main difference is in admin land(the part of user land
that you use to manage the box) not user user land. now with that
said:
redhat
suse
debian
gentoo
And I do not track the 872+ splinter distros of linux

have absolutely nothing in common as far as administrative tools go
they are flat out incompatible and for the ones I have used( redhat,
debian, suse) have absolutely shitty man pages and information
separated into all sorts of weird ass places on the system and not on
the system.  The box is not up and they did not even bother to put
accurate info in a consistent format on it so you can fix the fucking
problem.  Now lets get into the fact that as far as I know they all
use the standard linux file system lay out, about which the kindest
thing I can say about it is it was laid out by a mosquito snorting
ddt, absolutely no separation between core functionality and all the
other stuff.  this design actually is actively hostile to keeping a
system up and running.  And then there is the dance of the flipping
libraries and kernels, to get x up you need version y of glibc and
that breaks z, that you also need up.  Quality control on the stable
branch of the kernel is a *JOKE*.

[snip]

the rest was a fair argument though.

And I do agree that the jail code is the tip of the iceberg as fare as
kernel stuff that is needed by  the kernel to make jails work.  Every
place that the kernel would give you access to kernel data structures
needs to have "jail code" and this has nothing to do with root, user
can do stuff that invokes this check "ps wwauxx" had better give
different info to an unprivileged user in a jail and out of a jail. 
For every "distinct path" that happens from user space into kernel
space you need to have a guardian making sure nothing unwanted happens
or leaks.  Much like the the distinction between 0==uid and 0!=uid you
simply need to have code to check for it in the proper place.  Now
with good engineering you can minimize the number of places that the
check needs to be put in.  And with that said you still need to
maintain the checks and add new ones as the kernel changes.

marc




More information about the talk mailing list