[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] teaching kids sys admin with VM's



Robert Arkiletian wrote:
On Jan 17, 2008 4:03 PM, Les Mikesell <les futuresource com> wrote:
You configure on the host side which NIC(s) to bridge and/or nat.  Then
these appear as virtual interfaces to the guest OS.  The guest only sees
the interfaces that you pre-configured on the host when you ran the
vmware-configure.pl script (which you have to do when you ugrade the
vmware software or the host kernel).  There is also an option of 'host
only' networking so the guests can see themselves and the host only like
an isolated subnet which normally isn't useful for anything but testing.

If I put the VM server on a seperate box on the ltsp internal network
and give it a static ip (rejecting everything except port 80), then
make sure the VM's nics only connect to the host through NAT so the
VM's are in an isolated network wouldn't that pretty much take care of
the security issue. What's the worst thing they could do? They would
only be able to mess with the other VM's on the host box not my ltsp
server, correct?

I wouldn't be particularly concerned about what a VM can do compared to a physical host. NFS is about the only protocol that cares much about the client uid and you could spoof anything equally well from a knoppix CD boot or appropriate windows tools anyway. A root user on a client vm would be able to use tcpdump or wireshark to see everything the host and other clients see on a bridged interface. I'm not sure how the nat interfaces work in that regard - but again you could do it from windows too. You have some control over who can access each machine in that you can only connect to a machine if you have execute permission on its *.vmx file that has the machine definition. You should be able to pre-create an uninstalled vm, copy it for each user and with appropriate ownership and mode settings, each user will only be able to see and start his own VM. Only one will be able to grab 'real' resources like the host CD,floppy, sound, or usb devices at at time, though. I think the system will permit a user to increase the ram his vm will see, but top or ps on the host would show the real resource usage by vm.

--
  Les Mikesell
   les futuresource com


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]