search

eiginn / coreemu

Automatically exported from code.google.com/p/coreemu
BSD 2-Clause "Simplified" License
0 stars 1 forks source link

User inside each container has root privileges #211

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago 
Since the user in shell of each node is root, there is basically no limit to 
what a CORE user can do on the system. This is fine for scientific experiments 
utilizing network emulation, but severely limits usability of CORE in teaching 
environment, especially if the PC is shared among multiple students.

Is there anything that can be done to limit the system-wide privileges of a 
user inside node?

Original issue reported on code.google.com by riva...@gmail.com on 1 Jun 2013 at 8:24

GoogleCodeExporter commented 9 years ago 
control groups (cgroups) could be used for better resource isolation

you would likely want a unique root filesystem mounted for each user

still, the LXC / Linux container approach is not nearly as hardened as other 
virtualization technologies such as OpenVZ, Xen, etc.; CORE has some support 
for Xen but it requires much greater resources (CPU/RAM per VM)

each student could be given their own CORE Virtual Machine to keep experiments 
self-contained (again requires more resources...)

Original comment by ahrenh...@gmail.com on 3 Jun 2013 at 6:30

GoogleCodeExporter commented 9 years ago 
How would cgroups help here and what is the approach that CORE currently uses?

Original comment by riva...@gmail.com on 3 Jun 2013 at 8:25

GoogleCodeExporter commented 9 years ago 
cgroups could help isolate e.g. CPU/memory usage, to limit the max CPU that one 
vnoded (LXC / container) could use

currently CORE's approach is to just provide the most lightweight node 
possible, which is why there is no security/permissions controls

Original comment by ahrenh...@gmail.com on 3 Jun 2013 at 8:35

GoogleCodeExporter commented 9 years ago 
Yeah, I'm concerned about changing system configuration, rebooting or so. 
Resource usage control is a nice thing, but certainly not too high on my 
priorities list.

What's the situation on BSD side?

Original comment by riva...@gmail.com on 3 Jun 2013 at 8:39

GoogleCodeExporter commented 9 years ago 
For BSD CORE uses jails. We haven't tested the FreeBSD support lately (lack of 
user interest.) With FreeBSD it is possible to use a ZFS root filesystem but 
CORE hasn't been updated to support this. Since jails were originally a 
security mechanism (versus namespaces/containers), I'm guessing you could 
achieve better isolation.

Original comment by ahrenh...@gmail.com on 24 Jun 2013 at 5:11