Big security risk with global sharing

Discussion in 'Parallels Desktop for Mac' started by goron, Jan 24, 2007.

  1. Resuna

    Resuna

    Messages:
    54
    I find a FreeBSD jail is just about as recoverable and secure and a whole lot less overhead, and while OS X doesn't have that (alas) a chrooted environment comes close. I wonder how much you'd have to clone to run OS X apps chrooted.
     
  2. dm3

    dm3

    Messages:
    46
    I totally agree. Sandboxes are great provided they are or can be well isolated from the rest of the system. Besides just running Windows, I love having VMs for multi-platform software development. Develop on the mac but install and test on as many platforms as you'd like. Install blew up the OS? No problem, just refresh from a previous VM image.
    You can also have a sandbox Windows VM to run questionable software that might contain a virus or spyware without it harming anything (unless GFS is turned on...)

    I'm still vague on what shared resources you're concerned with. I assume things like disk space, memory, CPU utilization? I've read that disk quotas can be imposed on Mac OS X. Memory and CPU util shouldn't be a huge issue if your child is the only one using the system and there isn't a errant program running.
     
  3. dkp

    dkp

    Messages:
    1,367
    One of the reasons I like Solaris containers so much is that there is no emulation - everything is native. Like the jail, the container runs in total isolation using assigned resources from the host. I have no qualms about handing out root password like candy for containers users. And the ability to dole out resources like cpu and RAM is hard to beat.

    For the larger audience, imagine having the ability in Parallels to assign 30% cpu capacity to one vm, 10% to another, etc. just as RAM is parceled out now. And storage allocation can work the same way. This kind of fine tuning has extreme advantages, particularly when implementing appliances, and creating layered environments where dev, test, and production run on identical (literally the same) hardware and software, but with more or fewer assets provisioned, depending on need. Priority based dynamic provisioning is a very nice thing.
     
  4. dkp

    dkp

    Messages:
    1,367
    Every Unix user has write access to certain common areas of the file system, and by implication, so too do any viruses that make it through your browser, chat proggy, ftp, what ever. There are tools built in to the system to help the admin control the damage that can be done by an exploit. These are: disk quota (OS X uses the BSD quota tools), ACL's (Access Control List), and restricted shells. If you are contemplating a host-based sandbox then each of these should be a part of your strategy. In fact you cannot consider yourself successful until you do employ them.

    In your scenario I would definitely look at each of these tools and deploy them in what ever manner satisfies your needs.

    Something we need to keep in mind is that OS X is quite vulnerable to human engineering and human error/ignorance attacks, and that the number of systems is growing fast - a fact not lost on the creative hacker. While Windows has been the doormat of the black hats for some time now, Mac users should not be complacent about their good fortune to date. That is all about to change.
     
  5. Resuna

    Resuna

    Messages:
    54
    People have been saying that since, oh, late 1997 or so. They'll be saying that in 2017 if Microsoft doesn't pull out ActiveX and take a good hard look at DotNET. Before 1997, before Active Desktop, Windows really wan't the overwhelming leader in viruses it became that year.

    Well, that's unless Steve Jobs has a sudden attack of Windows Envy and dives into the vulnerability pool instead of dabbling around the edges like he's been.

    Don't forget, the first major Internet-based worm was on UNIX, back in 19*8*7, and despite UNIX providing the majority of servers through at least the end of the century, and despite most of them being the same Sun boxes that the Internet Worm and Code Red (the only other really newsworthy worm that could use UNIX security holes) used... there's only *been* those two big peaks... and Code Red mostly propogated over IIS.

    This doesn't mean complacency is OK. There's been some great stories of Mac users leaving their Wifi open and unencrypted because Macs couldn't get viruses (rather like leaving your front door unlocked because your car alarm is a good name brand)... but there's not likely to be any major change in the environment in the near future. Something else I've been saying since, oh, 1998 or so after I realised that Microsoft wasn't going to do the smart thing and drive the problem of "Active Content" attacks back down to the noise level...
     
  6. dkp

    dkp

    Messages:
    1,367
    You remind me of Paul Vixie :) Same energy, same passions.
     

Share This Page