[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suEXEC witch mod_userdir

Seth Mattinen wrote:
> It also means you don't have to to screwy things to separate services
> running on the same machine. Sure you can do run on-server firewalls,
> run multiple instances of daemons out of different roots, views, or
> similar things. Or you can simplify and split them out to their own VM.
> When the next remote root exploit for something comes along, who cares?
> It's in it's own little world. You can rest easily knowing there's no
> way for anything to get outside the VM. Fix it, of course, but the scope
> of damage is restricted to a known environment. Even worse, you get
> rooted. Do you really know the extent? Most people will recommend you
> wipe it and restore. Much less painful if it's just one tiny VM.

Oh, you didn't get it. I didn't say I agree on putting things on
separate VMs, I also think it's useless. I was just discussing things
about I/O, CPU and network scheduling, saying that IT IS available NOW.

> Some audit processes require such separation - some even require NAT in
> absurd cases. Sure, argue it, but the auditors will still put you down.
> I'm sure you'll find reasons to argue against every little thing I said
> and claim I'm wrong, but to state there is absolutely never any reason
> to run virtual servers for services that could be combined is ignorant
> and absurd.

I also think this way, reread please, and tell me where I wrote I didn't
agree with you. I would also add that having separate VMs instead of one
multiple the workload for doing security updates, and also that you
could get multiple VMs hacked instead of a single server.

But that doesn't changes the fact that VMs are cool stuffs, but for
other usages, like getting them for a fraction of the price of a
dedicated server, sharing a server with multiple users with a nice
privilege separation, etc. Commercial VPS hosting is 80% of my company
activity so...


Reply to: