Re: [Vserver] secure a guest against the host's root-account
Quoting Oliver Welter ([EMAIL PROTECTED]): > Hi Mike, Serge, > > >>>So, is there any way to do this ? I guess that SELinux/GR will offer > >>>some pointers to forbid root these actions, but are there any "easier" > >>>ways ?? > >>> > >>Sounds like SELinux is the tool of choice for that. > > > >And if your concern is with the host's admins, not with exploited root > >apps on the host server, then selinux still won't help you. But OTOH, adding selinux controls over vserver could be useful in protecting you from other exploits on the host machine. Or from sub-admins, as mentioned previously. Might be worth considering. > Partiallymy second question here on the list regarding TPM support > would be a great possibility to ensure and certifiy a certain state of > the Root-Server. Kent (cc'd) might be able to give some more details, but as I recall while tpm is root-safe in some aspects, actually exploiting that to really protect something from root is Danged Difficult. What exactly would you want to protect? > But to keep on track - are they any good howtos for SELinux/vserver Haha, second hit on google says you use them together by disabling selinux :) But more seriously, you could just assign a new type (httpd_vserver_file_t) to everything under /vservers/httpd, only allow httpd_vserver_t to access those files, and make vserver an entry point to it. Not sure what you'd achieve, or exactly what you want to achieve, but we can toss the idea around and see where we get. -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
> "open-up-vservers-like-cracked-eggs.ko"? That sounds interesting - where do I get that one from ;-) -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Quoting Eugen Leitl ([EMAIL PROTECTED]): > On Tue, Apr 25, 2006 at 08:25:37PM +1000, Tony Lewis wrote: > > > I think this would be a valuable addition to vservers. One of the risks > > of "renting" a virtual server (pick your flavour) is that you're not > > safe from the hosting sysadmin. If vservers could offer something like > > You are never safe from the hoster. Either you trust her, or you don't. > It's as simple as that. > > (Or, you bring in sealed tamper-proof hardware in, then you have > some degree of protection). Agreed. Now if you *are* the host admin, you can provide the needed infrastructure so that you can farm out some of the lighter admin work to "mostly but not quite trusted" sub-admins, and keep them from poking the vservers. But you simply cannot protect from the host admin. After all, what makes him run your new kernel, unpatched? What stops him rebooting, or poking /dev/kmem, or loading kernel module "open-up-vservers-like-cracked-eggs.ko"? -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
On Tue, Apr 25, 2006 at 08:25:37PM +1000, Tony Lewis wrote: > I think this would be a valuable addition to vservers. One of the risks > of "renting" a virtual server (pick your flavour) is that you're not > safe from the hosting sysadmin. If vservers could offer something like You are never safe from the hoster. Either you trust her, or you don't. It's as simple as that. (Or, you bring in sealed tamper-proof hardware in, then you have some degree of protection). > that, it's a real selling point. It's much closer to a dedicated server > then, in terms of (quasi) physical security. -- Eugen* Leitl http://leitl.org";>leitl http://leitl.org __ ICBM: 48.07100, 11.36820http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Herbert Poetzl wrote: On Mon, Apr 24, 2006 at 08:02:43AM +0200, Oliver Welter wrote: So, is there any way to do this? definitely, if you plan to pursue this direction, please contact me and I will see what I can do. I think this would be a valuable addition to vservers. One of the risks of "renting" a virtual server (pick your flavour) is that you're not safe from the hosting sysadmin. If vservers could offer something like that, it's a real selling point. It's much closer to a dedicated server then, in terms of (quasi) physical security. Tony ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Hi there, > Q: Is there a way to prevent that a superuser on the host system can Well, usually one characteristic of a superuser is the right to do _everything_. Even if you use something like SELinux or whatever, most superusers have physical access to their machines in one way or another. IMHO the best way to prevent a superuser from having access to sensible data is to use some form of PGP/GnuPG (or the like) encryption. But even then the superuser is able to read the memory of running processes... Cheers, Sebastian -- Sebastian "tokkee" Harl GnuPG-ID: 0x8501C7FC http://tokkee.org/ signature.asc Description: Digital signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
On Mon, Apr 24, 2006 at 08:02:43AM +0200, Oliver Welter wrote: > Hi Folks, > > this might be a strange question for some of you as it is more an > academical interesst, but I hope you can help me out ;) > > Q: Is there a way to prevent that a superuser on the host system can > > * see process of a guest > * enter a guest > * receive any other valuable info from the guest well, all this is _theoretically_ possible, and in many cases quite easy, for example the 'enter' part is already there, just not activated. we could also hide certain guests or guest processes from the watch (spectator) context, it would probably be a little harder with the filesystem though, although private namespaces could help there too. the question is, what would stop a malicious user from using exactly those features to hide evil stuff from the host admin? > The idea behind is easy - I want to give away a guest system that > uses an encrypted filesystem for its sensible data. The guest system > itsself will provide only very limited access to the data via an API > and it must be prevented by any means that even the "Bofh" of the host > can access any of the data I can imagine having a kernel compile time option to enable certain 'security' features ... or disable certain host admin capabilities > So, is there any way to do this? definitely, if you plan to pursue this direction, please contact me and I will see what I can do. best, Herbert > I guess that SELinux/GR will offer some pointers to forbid root these > actions, but are there any "easier" ways ?? > > Oliver > -- > Diese Nachricht wurde digital unterschrieben > oliwel's public key: http://www.oliwel.de/oliwel.crt > Basiszertifikat: http://www.ldv.ei.tum.de/page72 > ___ > Vserver mailing list > Vserver@list.linux-vserver.org > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Hi Mike, Serge, So, is there any way to do this ? I guess that SELinux/GR will offer some pointers to forbid root these actions, but are there any "easier" ways ?? Sounds like SELinux is the tool of choice for that. And if your concern is with the host's admins, not with exploited root apps on the host server, then selinux still won't help you. Partiallymy second question here on the list regarding TPM support would be a great possibility to ensure and certifiy a certain state of the Root-Server. But to keep on track - are they any good howtos for SELinux/vserver Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
Quoting Michael S. Zick ([EMAIL PROTECTED]): > On Mon April 24 2006 01:02, Oliver Welter wrote: > > Hi Folks, > > > > this might be a strange question for some of you as it is more an > > academical interesst, but I hope you can help me out ;) > > > > Q: Is there a way to prevent that a superuser on the host system can > > > > * see process of a guest > > * enter a guest > > * receive any other valuable info from the guest > > > > The idea behind is easy - I want to give away a guest system that uses > > an encrypted filesystem for its sensible data. The guest system itsself > > will provide only very limited access to the data via an API and it must > > be prevented by any means that even the "Bofh" of the host can access > > any of the data > > > > So, is there any way to do this ? I guess that SELinux/GR will offer > > some pointers to forbid root these actions, but are there any "easier" > > ways ?? > > > Sounds like SELinux is the tool of choice for that. And if your concern is with the host's admins, not with exploited root apps on the host server, then selinux still won't help you. -serge ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] secure a guest against the host's root-account
On Mon April 24 2006 01:02, Oliver Welter wrote: > Hi Folks, > > this might be a strange question for some of you as it is more an > academical interesst, but I hope you can help me out ;) > > Q: Is there a way to prevent that a superuser on the host system can > > * see process of a guest > * enter a guest > * receive any other valuable info from the guest > > The idea behind is easy - I want to give away a guest system that uses > an encrypted filesystem for its sensible data. The guest system itsself > will provide only very limited access to the data via an API and it must > be prevented by any means that even the "Bofh" of the host can access > any of the data > > So, is there any way to do this ? I guess that SELinux/GR will offer > some pointers to forbid root these actions, but are there any "easier" > ways ?? > Sounds like SELinux is the tool of choice for that. Mike > Oliver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] secure a guest against the host's root-account
Hi Folks, this might be a strange question for some of you as it is more an academical interesst, but I hope you can help me out ;) Q: Is there a way to prevent that a superuser on the host system can * see process of a guest * enter a guest * receive any other valuable info from the guest The idea behind is easy - I want to give away a guest system that uses an encrypted filesystem for its sensible data. The guest system itsself will provide only very limited access to the data via an API and it must be prevented by any means that even the "Bofh" of the host can access any of the data So, is there any way to do this ? I guess that SELinux/GR will offer some pointers to forbid root these actions, but are there any "easier" ways ?? Oliver -- Diese Nachricht wurde digital unterschrieben oliwel's public key: http://www.oliwel.de/oliwel.crt Basiszertifikat: http://www.ldv.ei.tum.de/page72 smime.p7s Description: S/MIME Cryptographic Signature ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver