[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: suEXEC witch mod_userdir



Thomas Goirand wrote:
> Seth Mattinen wrote:
>> It also means you don't have to to screwy things to separate services
>> running on the same machine. Sure you can do run on-server firewalls,
>> run multiple instances of daemons out of different roots, views, or
>> similar things. Or you can simplify and split them out to their own VM.
>> When the next remote root exploit for something comes along, who cares?
>> It's in it's own little world. You can rest easily knowing there's no
>> way for anything to get outside the VM. Fix it, of course, but the scope
>> of damage is restricted to a known environment. Even worse, you get
>> rooted. Do you really know the extent? Most people will recommend you
>> wipe it and restore. Much less painful if it's just one tiny VM.
> 
> Oh, you didn't get it. I didn't say I agree on putting things on
> separate VMs, I also think it's useless. I was just discussing things
> about I/O, CPU and network scheduling, saying that IT IS available NOW.

I still don't understand what you're trying to say is "available now".


>> Some audit processes require such separation - some even require NAT in
>> absurd cases. Sure, argue it, but the auditors will still put you down.
>> I'm sure you'll find reasons to argue against every little thing I said
>> and claim I'm wrong, but to state there is absolutely never any reason
>> to run virtual servers for services that could be combined is ignorant
>> and absurd.
> 
> I also think this way, reread please, and tell me where I wrote I didn't
> agree with you. I would also add that having separate VMs instead of one
> multiple the workload for doing security updates, and also that you
> could get multiple VMs hacked instead of a single server.
>
> But that doesn't changes the fact that VMs are cool stuffs, but for
> other usages, like getting them for a fraction of the price of a
> dedicated server, sharing a server with multiple users with a nice
> privilege separation, etc. Commercial VPS hosting is 80% of my company
> activity so...
> 

I was alluding to privilege separation. You don't have to have multiple
users to want it. Very few products have a perfect record. I haven't
figured out how to predict the future yet.

~Seth


Reply to: