Secure Coding mailing list archives

RE: virtual server - security

From: Jeremy Epstein <jeremy.epstein () webmethods com>
Date: Wed, 31 Mar 2004 19:27:28 +0100

You might also consider one of the IPS products (e.g., Okena/Cisco,
Entercept/NAI, or PlatformLogic), all of which will allow you to constrain
what happens.... and may be somewhat more scalable than VMware if you need
to run a bunch of instances of the virtual environment.

-----Original Message-----
From: [EMAIL PROTECTED] 
[mailto:[EMAIL PROTECTED]
Behalf Of Scott Nemec
Sent: Tuesday, March 30, 2004 6:46 PM
To: [EMAIL PROTECTED]
Subject: Re: [SC-L] virtual server - security

Have you looked at VMware?  ( http://www.vmware.com )

It let's you provide an environment at the hardware-like 
level inside a
real box.  This way, if the the script kiddie get's control of your
virtual environment, you can just reset back to a pre-saved state.
Meanwhile, the real box is protected from the virtual (at least should
be).

On Tue, 30 Mar 2004, Serban Gh. Ghita wrote:

Hello

I am banging my head on the table every day, because i

cannot find an

elegant and safe solution to secure a virtual shared

environment (server).

Take the following facts:
-you have a virtual server (unix) and you have to take care

of a lot of

clients.
-no one has acces to shell, cronjobs or stuff like that,

only 21 and 80

-you dont want anyone to get out of his 'box' (eg /home/sasha/)
-you want to allow php, perl or other web languages to run

safely and in the

same time will _almost_ all features.
-in php (because this is the one of the most user language

for web - for

mostly endusers), i have options like safe_mode, but if i

activate that,

many functions and features will not work. i know (because

i tested) that

the best solution is open_basedir, but i cannot create an

restriction like

that for each user, or at least i dont know how to do that.

My problem is that i tested some script-kiddies local

exploits (php,perl)

and the system is vulnerable, the user can get out of his

box and see system

files (etc/passwd, other dirs).

What are the options here. Any paper or book written about this?

Thanks

Serban Gh. Ghita

Current thread:

virtual server - security Serban Gh. Ghita (Mar 30)
- Re: virtual server - security Scott Nemec (Mar 30)
- RE: virtual server - security Dave Paris (Mar 31)
  - RE: virtual server - security jnf (Mar 31)
    - RE: virtual server - security Dave Paris (Mar 31)
  - Re: virtual server - use jail(8) on FreeBSD Paco Hope (Mar 31)
- Re: virtual server - security Fernando Schapachnik (Mar 31)
- Re: virtual server - security Louis Solomon [SteelBytes] (Mar 31)
- Re: virtual server - security Frank Peters (Mar 31)
- <Possible follow-ups>
- RE: virtual server - security Jeremy Epstein (Mar 31)
  - Re: virtual server - IPS Paco Hope (Mar 31)