Not to start a war. But the consensus, among the OpenBSD cognescenti, is that virtual machines / Chroot / Jails are not adding additional security, nor platform isolation, though they do offer the appearance of it. Many people think they are getting these through virtualization, but ... the consensus is they are mistaken. You may, if you wish, call that a theory, but the Project members will call it fact, and cite chapter and verse, nastily. You can search the misc@ archives for lots of it.
The use of chroot within OpenBSD itself is for filesystem isolation after privilege separation, for Apache and BIND, primarily.
As it has filesystem virtualization, I have used chroot for development. I was not looking for security or platform isolation, just filesystem isolation.
Last edited by jggimi; 25th November 2009 at 03:31 AM.
|