Re: [Vserver] secure a guest against the host's root-account
Hi there, > Q: Is there a way to prevent that a superuser on the host system can Well, usually one characteristic of a superuser is the right to do _everything_. Even if you use something like SELinux or whatever, most superusers have physical access to their machines in one way or another. IMHO the best way to prevent a superuser from having access to sensible data is to use some form of PGP/GnuPG (or the like) encryption. But even then the superuser is able to read the memory of running processes... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver features
On Mon, Apr 24, 2006 at 06:40:22PM +0200, Jonathan Dray wrote: > 2006/4/24, Herbert Poetzl <[EMAIL PROTECTED]>: > > > networking in Linux-VServer happens on the host to > > provide highest possible performance, which atm > > means that the iptable entries have to be set on > > the host too, this might change in the future, but > > usually it doesn't pose any problem ... > > I've read something about virtual network devices and the ngnet > project. Is it the futur changed you are talking about? yes, ngnet will provide the features (and overhead) virtual networking has, for those who desperately want it ... > Do you have any other solution for virtual hosting services to > provide guests firewall management ? usually there is no real point in doing per guest firewalling, but it can be easily done by assigning an iptable chain for each guest, and allowing the guest admins to maintain those entries (e.g. via web interface) of course, this requires policy to restrict the number of table entries and a pre-selection based on guest IPs to ensure that the guest doesn't do anything evil with that ... > > typically you have about 8 devices in your guest, > > which are created with the 'build' methods, and you > > really don't want more than those inside a guest for > > security reasons, so there is really no point in > > using devfs or udev ... > > > > I understand the security recommandations to limit devices > inside a guest and agree with them. > I was asking because when entering a guest I get the following error > message mesg: /dev/pts/1: Operation not permitted which is because you bring your pts/1 from the host into the guest, and now the guest tries to access it (which is not permitted, for security reasons) > Any clue ? using recent tools and patches (magic word is vlogin) should handle this by allocating a new pts inside the guest (on enter), but the canonical way is to enter the guest via ssh, which will do all the proper stuff automagically ... > thanks for your help you're welcome! best, Herbert > Jon ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver features
2006/4/24, Herbert Poetzl <[EMAIL PROTECTED]>: networking in Linux-VServer happens on the host toprovide highest possible performance, which atmmeans that the iptable entries have to be set onthe host too, this might change in the future, butusually it doesn't pose any problem ... I've read something about virtual network devices and the ngnet project.Is it the futur changed you are talking about ?Do you have any other solution for virtual hosting services to provide guests firewall management ?typically you have about 8 devices in your guest, which are created with the 'build' methods, and youreally don't want more than those inside a guest forsecurity reasons, so there is really no point inusing devfs or udev ... I understand the security recommandations to limit devices inside a guest and agree with them.I was asking because when entering a guest I get the following error messagemesg: /dev/pts/1: Operation not permittedAny clue ?thanks for your helpJon ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: how can I remove this in a Vserver : perl: warning: Falling back to the standard locale ("C")...
Le Vendredi 21 Avril 2006 02:27, Tony Lewis a écrit : > > It should be solved by a little "apt-get install locales" > 1. apt-get install language-pack-en > 2. add the following to /etc/environment: > LANG="en_AU.UTF-8" > LANGUAGE="en_AU:en_US:en_GB:en" Same thing in Mandriva : When creating a vserver, after having done the skeleton, I add a package to my urpmi line : # urpmi --root /vservers/vs1 basesystem locales-fr Here, "locales-fr", because i'm french. So, If you are using a Mandriva vserver, just install "locales-XX" in your vserver, XX being the two-letters country code. -- pgp5lqKgbFMzs.pgp Description: PGP signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] great flower page
On Mon, Apr 24, 2006 at 04:11:37PM +0200, Guenther Fuchs wrote: > Hi there, > > on Monday, April 24, 2006 at 3:57:43 PM there was posted: > > >> e> - way of keeping heavily-commented template config for vserver. > >> e> There is no easy way to comment current config. > >> Agreed. > > HP> what about writing option.info files? > > The documentation lacks this optional info yet ;-) > > HP> get over it! stop whining! > > Btw - you meant mainly to answer "eyck"'s post, didn't you?! well, yes, I thought that was obvious, but maybe it wasn't (should have added 'eyck' there :) best, Herbert > -- > regards 'n greez, > > Guenther Fuchs > (aka "muh" and "powerfox") > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
On Mon, Apr 24, 2006 at 08:02:43AM +0200, Oliver Welter wrote: > Hi Folks, > > this might be a strange question for some of you as it is more an > academical interesst, but I hope you can help me out ;) > > Q: Is there a way to prevent that a superuser on the host system can > > * see process of a guest > * enter a guest > * receive any other valuable info from the guest well, all this is _theoretically_ possible, and in many cases quite easy, for example the 'enter' part is already there, just not activated. we could also hide certain guests or guest processes from the watch (spectator) context, it would probably be a little harder with the filesystem though, although private namespaces could help there too. the question is, what would stop a malicious user from using exactly those features to hide evil stuff from the host admin? > The idea behind is easy - I want to give away a guest system that > uses an encrypted filesystem for its sensible data. The guest system > itsself will provide only very limited access to the data via an API > and it must be prevented by any means that even the "Bofh" of the host > can access any of the data I can imagine having a kernel compile time option to enable certain 'security' features ... or disable certain host admin capabilities > So, is there any way to do this? definitely, if you plan to pursue this direction, please contact me and I will see what I can do. best, Herbert > I guess that SELinux/GR will offer some pointers to forbid root these > actions, but are there any "easier" ways ?? > > Oliver > -- > Diese Nachricht wurde digital unterschrieben > oliwel's public key: http://www.oliwel.de/oliwel.crt > Basiszertifikat: http://www.ldv.ei.tum.de/page72 > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] great flower page
Hi there, on Monday, April 24, 2006 at 3:57:43 PM there was posted: >> e> - way of keeping heavily-commented template config for vserver. >> e> There is no easy way to comment current config. >> Agreed. HP> what about writing option.info files? The documentation lacks this optional info yet ;-) HP> get over it! stop whining! Btw - you meant mainly to answer "eyck"'s post, didn't you?! -- regards 'n greez, Guenther Fuchs (aka "muh" and "powerfox") ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] What is the best method to clone a vserver from one host to another ?
On Sun, Apr 23, 2006 at 06:42:53PM +0200, Sébastien CRAMATTE wrote: > Hello > > What is the best method to clone a vserver from one host to another ? > I've tried to use vcopy script (http://www.micropp.se/vserver/). This > method works localy. rsync or dump/restore (when you use ext2/3) best, Herbert PS: double check the rsync options and don't forget to use --numeric-ids and --archive > But doesn't clone vserver remotely ??? > > When I use this command line : > vcopy --clone kea3 [EMAIL PROTECTED]:/tmp/kea3 > > SSH return me illegal option -- S > Unknowed return on sudoprobe (1) > > SSH server is installed on my destination host + sudo > > Thanks for your help > > Bye > > Sebastien > > > > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] vserver features
On Sun, Apr 23, 2006 at 06:17:22PM +0200, Jonathan Dray wrote: > I've successfully installed Vserver on a debian etch with a 2.6.15 > patched kernel and started my first guest a few days ago. > I'm now looking for help/information about two features I acually > didn't find : > > - iptables support in guest environnement. I am forced to use > the host iptables configuration to grant security which is not > very handy. It is not possible to give a guest specific security > management for it's ip address. networking in Linux-VServer happens on the host to provide highest possible performance, which atm means that the iptable entries have to be set on the host too, this might change in the future, but usually it doesn't pose any problem ... > - udev management for devices in guest environnement. typically you have about 8 devices in your guest, which are created with the 'build' methods, and you really don't want more than those inside a guest for security reasons, so there is really no point in using devfs or udev ... > I was searching for documentation / tutorials for the above specific > topics. > > Could you give me a hint ? hint given ... > Maybe i missed something ? imho, yep ... best, Herbert > regards > Jon > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] great flower page
On Sun, Apr 23, 2006 at 10:28:05AM +0200, Guenther Fuchs wrote:
> Hi there,
>
> on Sunday, April 23, 2006 at 9:57:06 AM there was posted:
>
> e> - ability to hot-add/hot-remove IPs from running guest
> This is lost? AFAIK it is still possible, using the proper context.
this is a feature which was _added_ with 2.1 and is
_only_ possible with the new tools, i.e. that is
something which was _gained_ in 2.1 with newer tools
> e> - ability to enter running/non-running guest
> Running guest entering is not lost, non-running guests always started
> them, so I see the actual way beeing more clear
the --rescue option is to 'enter' a 'non-running' guest
> e> - ability to hot-mount directories into running guest
> This is lost? AFAIK it is still possible, using the proper context.
vnamespace -e -- mount
or if you prefer you can disable the private namespaces
completely with the _new_ config :)
> e> - when entering guest this info used to be displayed:
> e> ipv4root is now 127.2.0.1 127.3.0.3
> e> New security context is 10005
> e>it's missing now
> OK, that is lost. But it is not really necessary IMHO. There are other
> and also easy ways to achieve that info.
>
> e> - old vserver-build scripts created skeletons ready to be
> e> deployed, new method requires quite some time for vserver-enabling
> e> newly built skeletons... which is time-consuming, requires some
> e> knowledge and is error-prone.
> Cannot follow this problem, as I never worked / do not work with skeleton.
>
> e> - ability to look at single vserver configuration and understand
> e> what's going on ( similiar task requires running through
> e> directories, checking their contents, and extensive knowledge of
> e> CURRENT way the utils works.) I guess "find . -type f -ls -exec
> e> cat "{}" ';'" would be work-around for this miss-feature.
> I had this as a personal "problem" as well when changing to the new
> scheme. As for now, since I'm working a while with the new scheme, it
> is more clear and more understandable for myself then the old one. But
> there's one point, I agree still with you: The examples are lost, the
> relevant documentation is therefore less understandable (and not
> everyone realises how to switch the stylesheet on the "flower page").
> So this really could (should?) be improved to fit the previousely
> reached level, yes.
>
> e> - way of keeping heavily-commented template config for vserver.
> e> There is no easy way to comment current config.
> Agreed.
what about writing option.info files?
> e> - generally new style trades ease of programming in primitive
> e> languages for sysadmin's time. Which is great for people writing
> e> utils, not so great for those forced to use them.
> ???
I wonder _why_ nobody made a tool to map some kind of
property list (or xml document) to the directory based
layout and back ... seems to me that the admins do not
really care, just use it ...
> e> - principle of least surprise was broken, for example in 'dev',
> >'nodev',
> ???
well, we already clarified that you have some strange
kind of expectations for that config, which suddenly
differs from the old one (where IPROOTDEV meant exactly
what dev means now)
get over it! stop whining!
best,
Herbert
> --
> regards 'n greez,
>
> Guenther Fuchs
> (aka "muh" and "powerfox")
>
> ___
> Vserver mailing list
> Vserver@list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
___
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Hi Mike, Serge, So, is there any way to do this ? I guess that SELinux/GR will offer some pointers to forbid root these actions, but are there any "easier" ways ?? Sounds like SELinux is the tool of choice for that. And if your concern is with the host's admins, not with exploited root apps on the host server, then selinux still won't help you. Partiallymy second question here on the list regarding TPM support would be a great possibility to ensure and certifiy a certain state of the Root-Server. But to keep on track - are they any good howtos for SELinux/vserver Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Quoting Michael S. Zick ([EMAIL PROTECTED]): > On Mon April 24 2006 01:02, Oliver Welter wrote: > > Hi Folks, > > > > this might be a strange question for some of you as it is more an > > academical interesst, but I hope you can help me out ;) > > > > Q: Is there a way to prevent that a superuser on the host system can > > > > * see process of a guest > > * enter a guest > > * receive any other valuable info from the guest > > > > The idea behind is easy - I want to give away a guest system that uses > > an encrypted filesystem for its sensible data. The guest system itsself > > will provide only very limited access to the data via an API and it must > > be prevented by any means that even the "Bofh" of the host can access > > any of the data > > > > So, is there any way to do this ? I guess that SELinux/GR will offer > > some pointers to forbid root these actions, but are there any "easier" > > ways ?? > > > Sounds like SELinux is the tool of choice for that. And if your concern is with the host's admins, not with exploited root apps on the host server, then selinux still won't help you. -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
On Mon April 24 2006 01:02, Oliver Welter wrote: > Hi Folks, > > this might be a strange question for some of you as it is more an > academical interesst, but I hope you can help me out ;) > > Q: Is there a way to prevent that a superuser on the host system can > > * see process of a guest > * enter a guest > * receive any other valuable info from the guest > > The idea behind is easy - I want to give away a guest system that uses > an encrypted filesystem for its sensible data. The guest system itsself > will provide only very limited access to the data via an API and it must > be prevented by any means that even the "Bofh" of the host can access > any of the data > > So, is there any way to do this ? I guess that SELinux/GR will offer > some pointers to forbid root these actions, but are there any "easier" > ways ?? > Sounds like SELinux is the tool of choice for that. Mike > Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
