On Sat, 04 Nov 2006 13:54:56 -0500, John Schember <j5483@yahoo.com> wrote:
> On Sat, 2006-11-04 at 13:40 -0500, Kwon wrote:
>> Can a hacked instance of VMWare bring down the entire system?
>
> Considering that VMware server uses kernel modules for operation on the
> host system. Also that it likes to run as root (I haven't checked to see
> if it can run as an unprivileged user) and that it wants to use
> xinetd... I would say that you should at least be careful with it.
>
Well, this gets at my original musing...... are you really safer with a
grsecurity-hardened-chrooted VMware application (with root privileges,
that uses at least some of the host's kernel) or a
grsecurity-hardened-chrooted program with no privilege and only the
additional executables necessary to keep it running.
And if the answer is yes, are you significantly safer?
In one sense there'd be a thicker layer between the host and the server,
but in another sense the added complexity and root host privilege may add
vulnerabilities?
(Sorry if this is foolish...... the answer seems less than obvious)
--
gentoo-security@gentoo.org mailing list
> On Sat, 2006-11-04 at 13:40 -0500, Kwon wrote:
>> Can a hacked instance of VMWare bring down the entire system?
>
> Considering that VMware server uses kernel modules for operation on the
> host system. Also that it likes to run as root (I haven't checked to see
> if it can run as an unprivileged user) and that it wants to use
> xinetd... I would say that you should at least be careful with it.
>
Well, this gets at my original musing...... are you really safer with a
grsecurity-hardened-chrooted VMware application (with root privileges,
that uses at least some of the host's kernel) or a
grsecurity-hardened-chrooted program with no privilege and only the
additional executables necessary to keep it running.
And if the answer is yes, are you significantly safer?
In one sense there'd be a thicker layer between the host and the server,
but in another sense the added complexity and root host privilege may add
vulnerabilities?
(Sorry if this is foolish...... the answer seems less than obvious)
--
gentoo-security@gentoo.org mailing list