[brlug-general] VMware security..
Fernando Vilas
fvilas at iname.com
Sun Sep 23 17:20:06 CDT 2007
On Saturday 22 September 2007 21:15:00 Dustin Puryear wrote:
> We push VMware, so this hits us too:
>
> http://www.forbes.com/security/2007/09/21/virtualization-software-security-
>tech-security_cx_ag_0921vmware.html
>
> How risky is putting all of your eggs into one basket?
One of the main selling points of virtualization is the idea that a VM can't
get to the host, so the host should never be at risk. We've been dealing
with Solaris Containers (zones) a lot lately at work, and they market them
the same way. Solaris Containers are based on the BSD jail model, and are
Common Criteria certified to a pretty advanced level.
What I found really interesting the last time I did a BIND upgrade was that
the docs now say that on a Linux box, it is less secure to run named in a
chroot jail than to let it run as a non-root user and load the capability
kernel module so that it can drop privs when it doesn't need them. They
claim that this is due to something in chroot jails not playing nice with
named.
To VMWare's credit their representative acknowledges that this is an issue
with software in general and advises keeping up to date on the patches. I
wonder how news like this will affect other virtualization platforms like Xen
and KVM going forward.
--
Thanks,
Fernando Vilas
fvilas at iname.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part.
Url : http://mail.brlug.net/pipermail/general_brlug.net/attachments/20070923/1c4863cc/attachment.bin
More information about the General
mailing list