OpenVZ Forum



Members   Search      Help    Register    Login    Home
Home » Mailing lists » Users » Security risks in ve_allow_kthreads
Security risks in ve_allow_kthreads [message #25776] Tue, 08 January 2008 14:19 Go to next message
Jakob Goldbach is currently offline Jakob Goldbach
Messages: 14
Registered: January 2008
Junior Member
 From: openvz.org
 
Hi,

What securiy risks do I impose on myself when enabling kernel threads
inside the VE ?

/Jakob

Report message to a moderator

Re: Security risks in ve_allow_kthreads [message #25789 is a reply to message #25776] Wed, 09 January 2008 02:27 Go to previous messageGo to next message
vaverin is currently offline vaverin
Messages: 626
Registered: September 2005
Senior Member
 From: *sw.ru
When VE is stopped all processes should be finished. Userspace processes can be killed, but kernel threads cannot be stopped by this way.
You should have some guarantee that your kernel therads will be stopped by some way when VE is stopped. Otherwise you will have at least memory leakage.

thank you,
Vasily Averin

Report message to a moderator

Re: Re: Security risks in ve_allow_kthreads [message #25790 is a reply to message #25789] Wed, 09 January 2008 02:39 Go to previous messageGo to next message
Jakob Goldbach is currently offline Jakob Goldbach
Messages: 14
Registered: January 2008
Junior Member
 From: openvz.org
 
On Wed, 2008-01-09 at 10:27 +0300, vaverin wrote:
> 
>  When VE is stopped all processes should be finished. Userspace processes can be killed, but kernel threads cannot be stopped by this way.

Okay. 

> You should have some guarantee that your kernel therads will be stopped by some way when VE is stopped. Otherwise you will have at least memory leakage.
> 

My kernel threads is from the Lustre filesystem which I mount ind the VE
after the VE has started. Unmounting this should stop the thread so I
should be in the clear. 

Thanks
/Jakob

Report message to a moderator

Re: Security risks in ve_allow_kthreads [message #25791 is a reply to message #25776] Wed, 09 January 2008 02:52 Go to previous message
dev is currently offline dev
Messages: 1693
Registered: September 2005
Location: Moscow
Senior Member
From: openvz.org
 
Jakob Goldbach wrote:
> Hi,
> 
> What securiy risks do I impose on myself when enabling kernel threads
> inside the VE ?

1. if kernel thread doesn't terminate on VE stop - VE stop will be blocked.
2. security implications can be that kernel threads usually can do things
   which user space applications can't. So security implications depend
   on what thread in question does.
3. if your system is quite trusted (2) is not an issue at all.
   only (1) must be concerned.

Kirill

Report message to a moderator

Previous Topic:Hello, Some Problems With Open VZ
Next Topic:post-start and stop scripts
Goto Forum:
  

[ Syndicate this forum (XML) ] [ RSS ] [ PDF ]

Current Time: Tue Jun 18 16:42:46 EDT 2013
Powered by FUDforum Powered by Parallels Virtuozzo Containers