From: Ian B. <ib...@gm...> - 2004-12-13 23:55:30
|
Hence the problem then, since your users could use whatever image they wanted.. and therefore easily subvert your NT machine. Especially if they have root on their coLinux instances.. or are they going to have user-only access on the Linux sub-systems? Ian On Mon, 13 Dec 2004 18:35:48 -0500, Sarah Tanembaum <sar...@ya...> wrote: > Joe Wells (reverse mailbox letters only for non-public replies) wrote: > > > > Sarah Tanembaum <sar...@ya...> writes: > > > > > >>peter green wrote: > >> > >>>colinux is not a jail tool if you wan't to offer jailed virtual machines > >>>then you should use an appropriate tool (zen,uml,vmware esx,vmware gsx). > >>>The linux kernel in colinux runs in kernel mode and has full access > >>>to all physical hardware and memory. > >>>i don't think anyone really knows how hard it would be to takeover > >>>windows from there but its definately possible. > >>>it may be possible to combine colinux with other kernel patches to > >>>stop users getting thier own code running in kernel mode in the first place but > >>>it would require great care to close up all possibilities. > >> > >>Hi Peter, I think you're onto something interesting. I like CoLinux > >>solution(thanks to Dan Aloni and the gang) as compare to its > >>commercial sibling such as vmware. Not only colinux is free, it > >>requires less resources. > > > > ^^^^^^^^^^^^^^^^^^^^^^^ > > > > The interesting thing here is that the reason it requires less > > resources is the same reason that allowing someone to run any coLinux > > disk image is the same as allowing them to take over the machine. It > > is difficult to have one without the other. > > > > > >>But as any good software, it still need some ironing out. > > > > > > You would probably want a completely hardened Linux installation in > > order for someone using coLinux not to be able to break root on it and > > therefore also get full access to the whole machine. A nice project > > for someone would be to make a coLinux disk image containing Gentoo > > based on the 'selinux' or 'hardened' Gentoo profiles. > > > > Of course, I'm assuming you aren't planning on actually giving > > physical possession of the machine(s) running coLinux to your users. > > Making that secure is more difficult. You would have to at least > > prevent booting from CD and USB and hope your users don't open up the > > case and temporarily attach the hard drive to another computer. > > > > You are correct! The host machine is in the data center where no user > has any physical access to it. They will use terminal services to login > to their windows account on the host server where they will run their > own coLinux for either development and/or testing. > > Sarah > > > > > ------------------------------------------------------- > SF email is sponsored by - The IT Product Guide > Read honest & candid reviews on hundreds of IT Products from real users. > Discover which products truly live up to the hype. Start reading now. > http://productguide.itmanagersjournal.com/ > _______________________________________________ > coLinux-users mailing list > coL...@li... > https://lists.sourceforge.net/lists/listinfo/colinux-users > |