Re: How secure is vserver?
On Fri, Jun 5, 2009 at 9:54 AM, Izak Burger<isburger@gmail.com> wrote:
> If you push me for an answer, I'll say qemu, virtualbox and/or vmware
> should be safer, but in practice I will likely choose vserver because
> there is way less complexity involved and much better performance.
One more thing. You have to factor in the goals of the attacker. If
the attacker is only interested in another node in his botnet, he
won't care about breaking through to the "host", he may not even care
about obtaining root as he may already have sufficient access to run
whatever malware he wants to run. He may not even know (nor care) that
he's running his software inside a UML (userspace linux) process.
I also suspect that the goal of breaking through to the "host" would
be to gain access to the other virtual hosts on that machine, and it
might be easier to just attack those other virtual hosts directly, or
to attack the host itself directly, since it will likely run the same
versions of software anyway. While this is no excuse for not picking a
secure solution in the first place, I do not currently know of any
exploits in linux-vserver, and picking a virtualised solution for
marginally better security seems a backwards way to go about things.
There are other factors: performance, ease of use, features,
portability, that are much more important when making the decision on
what virtualisation technique to use. In other words, it might be
easier to spend a little more time hardening your virtual hosts (to
keep attackers out in the first place) and have a better performing
and easier to manage solution, rather than having a very secure but
incredibly hard to live with setup.
This is my opinion though, worth about 0.02 ZAR (which isn't much, but
at least more than 0.02 ZWD) :-P
Reply to: