You might also consider one of the IPS products (e.g., Okena/Cisco, Entercept/NAI, or PlatformLogic), all of which will allow you to constrain what happens.... and may be somewhat more scalable than VMware if you need to run a bunch of instances of the virtual environment.
> -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] > Behalf Of Scott Nemec > Sent: Tuesday, March 30, 2004 6:46 PM > To: [EMAIL PROTECTED] > Subject: Re: [SC-L] virtual server - security > > > Have you looked at VMware? ( http://www.vmware.com ) > > It let's you provide an environment at the hardware-like > level inside a > real box. This way, if the the script kiddie get's control of your > virtual environment, you can just reset back to a pre-saved state. > Meanwhile, the real box is protected from the virtual (at least should > be). > > On Tue, 30 Mar 2004, Serban Gh. Ghita wrote: > > > Hello > > > > I am banging my head on the table every day, because i > cannot find an > > elegant and safe solution to secure a virtual shared > environment (server). > > Take the following facts: > > -you have a virtual server (unix) and you have to take care > of a lot of > > clients. > > -no one has acces to shell, cronjobs or stuff like that, > only 21 and 80 > > -you dont want anyone to get out of his 'box' (eg /home/sasha/) > > -you want to allow php, perl or other web languages to run > safely and in the > > same time will _almost_ all features. > > -in php (because this is the one of the most user language > for web - for > > mostly endusers), i have options like safe_mode, but if i > activate that, > > many functions and features will not work. i know (because > i tested) that > > the best solution is open_basedir, but i cannot create an > restriction like > > that for each user, or at least i dont know how to do that. > > > > My problem is that i tested some script-kiddies local > exploits (php,perl) > > and the system is vulnerable, the user can get out of his > box and see system > > files (etc/passwd, other dirs). > > > > What are the options here. Any paper or book written about this? > > > > Thanks > > > > Serban Gh. Ghita > > > > > > > >
