Hey Robert, > On 17 Jan 2015, at 19:33, Robert McWilliam <[email protected]> wrote: > > On Wed, Jan 14, 2015 at 08:40:23AM +0000, Andrea Faulds wrote: >> I don’t think allowing access to doorbot is bad, allowing *sudo* >> access is. If it weren’t for sudo access, I wouldn’t have been able >> to do `sudo killall sshd`. (Again, I’m really sorry about that.) >> > <snip> >> One option would just be to run all the toys in a VM on doorbot and >> give people access to the VM. It’d be slow, sure, but none of this >> stuff really needs to be ultra-fast, and if someone screws up, only >> the toys are lost. > > Sorry for the slow response, I'm slowly catching up on emails... > > There is a lot you can do to mess up a machine without root > privileges if you can run arbitrary code.
That is true. Fill up the disk and you can break virtually everything… I’ve done it to myself before. > VMs are a nice way to keep things in a properly managed jail but I > haven't seen any VM tech that would have an easy way to give access to > hardware (usually USB devices for what we've been using up to now) > without giving access to all the devices which could let you break > (current) doorbot. VirtualBox allows USB passthrough for selected devices, could that work? Maybe you could blacklist certain specific things. > Basically, setting up stuff so that we can have "playing" on doorbot with > any confidence that such playing can't break door access is more faff > than I can be bothered with. I'd rather just use another machine that > we're not relying on for playing. If someone else has a sane plan to > set up jails of some description on doorbot and really wants to do > that I could probably be convinced to give you access to do it. I probably don’t have the motivation, and you’d never trust me after I started this debacle (with the best of intentions, mind you!). I have an RPi sitting around, unloved. It could be donated (possibly with some limited strings) to the space as a thing to put toys on. Thoughts? -- Andrea Faulds http://ajf.me/ _______________________________________________ 57north-discuss mailing list [email protected] http://lists.57north.co/listinfo/57north-discuss
