Re: [Vserver] OCS Inventory

From: harry <harry_at_cc.kuleuven.be>
Date: Sat 17 Mar 2007 - 17:18:28 GMT
Message-ID: <45FC22E4.9080001@cc.kuleuven.be>

in the same sense...

disable all firewalls, open up your telnet port and allow passwordless
rootlogin on all your machines
or pull the plug

those are the only possibilities, right?

Daniel W. Crompton wrote:
> Seriously if you care about your guest being secure you make sure that
> the host doesn't have physical network access. If you want to be able
> to run certain programs in a guest you sometimes need rights which are
> available to only the host. That's the whole point of caps.
>
> I want to make it clear that I have no idea what the OCS program does,
> but if you want to run it in a guest then you need to be able to
> access /dev/mem. Making the guest insecure is the price you have to
> pay. Having network access for a machine means risking remote attacks
> it's the price you pay.
>
> I hardly run anything on my host systems besides syslog and sshd,
> practically everything runs in a guest. Some guests have caps that
> give it almost full access to the host system on other guests you
> don't even have write access to the disk or a compiler. (It logs to
> the host's syslog anyway.) The level of access you need in a guest
> determines who access is given to, not whether you do something or
> not.
>
> The only thing you "absolutely never ever" want to do is give somebody
> you don't trust physical access to the host, anything else is a
> question of need.

-- 
harry
aka Rik Bobbaers
K.U.Leuven - LUDIT          -=- Tel: +32 485 52 71 50
Rik.Bobbaers_at_cc.kuleuven.be -=- http://people.linux-vserver.org/~harry
Nobody notices when things go right.
Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
_______________________________________________
Vserver mailing list
Vserver@list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver
Received on Sat Mar 17 17:43:41 2007
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Sat 17 Mar 2007 - 17:43:46 GMT by hypermail 2.1.8