On 09/11/2010 10:36 PM, Adrian Reyer wrote:
> On Sat, Sep 11, 2010 at 11:19:07AM +0100, Gordan Bobic wrote:
[snip]
> Be aware
> I don't use VServers for security reasons, but to be able to
> administrate e.g. the webserver seperate from the database server,
> despite both are small enough to run on the same host. I don't run
> e.g. potentially hostile webservers on my hosts. So any security flaws
> that relate to inner-VServer/host are no real concern to me and I
> actually only spent minor thoughts on it.
Interestingly, in my case, the main reason why I am separating things
into vservers rather than run them on bare metal is precisely because I
want more isolation for security reasons. If somebody finds a 0-day
exploit in a CMS and pwns Apache and gains some level of access to the
host, I don't want that to be on the same host containing, say, a mail
server.
That's mainly why I was asking about guests' access to services running
on loopback on the host. But then again, I see no reason why the
loopback interface on the host couldn't be suitably firewalled to
prevent the obvious problems. I was just wondering if there is something
obscure yet dangerous about this sort of a setup in terms of security.
Gordan
Received on Sat Sep 11 23:15:24 2010