Thanks so much Adrian - let me read, digest...appreciate the help!
On 01/19/14 11:42, Adrian Reyer wrote:
> Hi Ted,
>
> On Sun, Jan 19, 2014 at 09:55:22AM -0500, Ted Barnes wrote:
>
>> 1) I'm running gnome including Firefox in my vserver guests . Is
>> it a correct assumption that such a guest is susceptible to the
>> types of kernel exploits that would allow an attacker to take
>> control of the guest as root (e.g., maybe some sort of sql
>> injenction off of an infected website)? I.e., does the guest
>> architecture per se eliminate this sort of risk? Or is the best one
>> can do is to use a current kernel, keep the guest patched etc.?
>>
> A VServer root is still root, just with limited capabilities. E.g.:
> - No creating devices
> - No loading modules
> - No mounting of block devices
> - No changing of network setup
> In other words, it is much harder to hide as an attacker and to attack
> the rest of the system.
> You should keep current kernels to prevent the attacker from gaining
> additional privileges and become a danger to the host. It compares a bit
> to a virus scanner: if it is outdated, it is useless. Though on a quite
> higher level to be exploited.
>
>
>> 2) Should such an attack succeed, could the attacker then begin to
>> attack other guests on the network?
>>
> Yes, they can do so as normal user as well. However, default settings
> don't allow e.g. using tcpdump.
>
>
>> 3) My guests are on a different subnet than the host. Should such
>> an attack succeed in a guest, could it mount a successful attack on
>> the host over the network if the host had iptables in place, was up
>> to date in its patches etc.?
>>
> Depends on the attack and your setup. By default, locally generated
> packets targetting local IP-Adresses will never leave the host. This is
> different with e.g. network namespaces.
>
> Regards,
> Adrian
>
Received on Tue Jan 21 20:25:43 2014