On 06/11/2010 11:37 AM, Herbert Poetzl wrote:
> On Thu, Jun 10, 2010 at 09:13:56PM +0100, Gordan Bobic wrote:
>> On 06/10/2010 08:50 PM, Herbert Poetzl wrote:
>
>>>> Essentially - if it is not safe to do this between the host and
>>>> a guest, how come it is safe to do between guests?
>
>>> because the host (context) has all priviledges and
>>> can manipulate all the guests (and usually their filesystem
>>> without any restriction)
>
>>> so, the danger is not that the guest will modify a host
>>> binary and use that for some kind of exploit, the danger
>>> is more that you accidentially drop the required security
>>> mechanisms while accessing those files (from the host)
>>> and the guest could exploit this to mess with the host
>>> binaries ... or it could simply mess up the guest by
>>> involuntarily changing guest files (along with host changes)
>
>> What exactly are you referring to with "security mechanisms"
>> in this context?
>
> for example, remove the immuteable flag
>
>>> the guests are all limited in their capabilities and will
>>> not be able to do such things, but the host context is not
>>> limited at all, i.e. everything goes :)
>
>> I get that, I'm just curious how sharing a hard-link between
>> host and guest could be used to compromise the host.
>> At the moment, I cannot quite see the attack vector.
>
> one example in short:
> host removes immutable flag, guest injects evil code ...
Hmm, fair. I wonder, though, if such cases could be systematically
caught and controlled. (SELinux rules?)
>>> besides that, having a few hundred megabytes of host
>>> files/binaries are usually acceptable ...
>
>> A few hundred MB of disk space isn't a big issue. A few hundred
>> MB of RAM, however, is - I'm trying to implement something on
>> a very low power machine (N450 Atom, has to be passively cooled)
>> which is limited to 2GB of RAM, and I need to deploy about 3-4VMs
>> in it.
>
> I doubt that sshd and maybe syslogd (you should not need
> anything else on the host) will consume a lot of memory.
> I also doubt that you will keep those in sync with the
> guests at all times :)
I agree, up to a point. But these things tend to suffer scope creep.
>> Hence why I am trying to scrape a bit more off the bottom of
>> the barrel. :)
>
> you might want to go for 32bit there if memory is really
> your main concern ... but I'd verify that with a test
> setup first :)
An interesting idea, I'll compare and see.
Gordan
Received on Fri Jun 11 11:55:47 2010