[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Securing a Relay - chroot

To: tor-talk@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [tor-talk] Securing a Relay - chroot
From: Martin Fick <mogulguy@xxxxxxxxx>
Date: Thu, 26 May 2011 10:02:39 -0700 (PDT)
Delivered-to: archiver@xxxxxxxx
Delivery-date: Thu, 26 May 2011 13:02:57 -0400
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com; s=s1024; t=1306429359; bh=/bVL/+Hy45Ok7dYSVpMm4wHUwD5Xj398f1BmEMeG6xg=; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=mqr4AHQOhVpNxOlO8TVp+OhIisDB35tGVpUkuAkN072fbOBVb4xibiE9Vl7yqaTxOXJAQ1arF+Pviy1Vfr48A0k3LiotZjfTsZ/Lp2m45iF4bwAKyBCpYe2YEBUmcfBHYjOHmQcBNNcaCfCdCm16rreymMFDTsrMH5Yl+VprUR0=
Domainkey-signature: a=rsa-sha1; q=dns; c=nofws; s=s1024; d=yahoo.com; h=Message-ID:X-YMail-OSG:Received:X-Mailer:Date:From:Subject:To:In-Reply-To:MIME-Version:Content-Type:Content-Transfer-Encoding; b=Qk4zhI63PLYjo/Y8wS/9kLEh/uCgAaCNW/dgRrAl83H4A351aQ3ROqhHRLv7dF6hYotrxEOouVEcu+fgpYzldj/TojvmBiKYNtuiNoMe5kyF3CYcDpA0DBQ0uclAq4/zbbviGSaAjN2DAsvwrGe6cO6BajJZyksD1c6w580eNDU=;
In-reply-to: <201105260912.25523.CACook@xxxxxxxxxxxxxxx>
List-archive: <http://lists.torproject.org/pipermail/tor-talk>
List-help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-id: "This mailing list is for all discussion about theory, design, and development of Onion Routing." <tor-talk.lists.torproject.org>
List-post: <mailto:tor-talk@lists.torproject.org>
List-subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
List-unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
Reply-to: tor-talk@xxxxxxxxxxxxxxxxxxxx
Sender: tor-talk-bounces@xxxxxxxxxxxxxxxxxxxx

--- On Thu, 5/26/11, CACook@xxxxxxxxxxxxxxx <CACook@xxxxxxxxxxxxxxx> wrote:

> > So you're worrying about a compromised vserver guest
> > compromising the host, which is then used to attack
> > your LAN segment?
> 
> Doesn't even have to compromise the host.  With the
> guest in the same class C it can monitor traffic.

This is not true with a vserver, they use IP aliases,
and do not have raw access to the network interface
(unless you give them those specific capabilities).

With lxc you could give it that access, but you
could also firewall its interface from within the
host so that this is not possible (unless the host
is compromised).

-Martin

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

References:
- Re: [tor-talk] Securing a Relay - chroot
  - From: CACook

Prev by Author: Re: [tor-talk] Securing a Relay - chroot
Next by Author: Re: [tor-talk] Securing a Relay - chroot
Previous by thread: Re: [tor-talk] Securing a Relay - chroot
Next by thread: Re: [tor-talk] Securing a Relay - chroot
Index(es):
- Author
- Thread