[K12OSN] teaching kids sys admin with VM's

Les Mikesell les at futuresource.com
Fri Jan 18 06:34:13 UTC 2008


Robert Arkiletian wrote:
> On Jan 17, 2008 4:03 PM, Les Mikesell <les at futuresource.com> wrote:
>> You configure on the host side which NIC(s) to bridge and/or nat.  Then
>> these appear as virtual interfaces to the guest OS.  The guest only sees
>> the interfaces that you pre-configured on the host when you ran the
>> vmware-configure.pl script (which you have to do when you ugrade the
>> vmware software or the host kernel).  There is also an option of 'host
>> only' networking so the guests can see themselves and the host only like
>> an isolated subnet which normally isn't useful for anything but testing.
> 
> If I put the VM server on a seperate box on the ltsp internal network
> and give it a static ip (rejecting everything except port 80), then
> make sure the VM's nics only connect to the host through NAT so the
> VM's are in an isolated network wouldn't that pretty much take care of
> the security issue. What's the worst thing they could do? They would
> only be able to mess with the other VM's on the host box not my ltsp
> server, correct?

I wouldn't be particularly concerned about what a VM can do compared to 
a physical host.  NFS is about the only protocol that cares much about 
the client uid and you could spoof anything equally well from a knoppix 
CD boot or appropriate windows tools anyway.  A root user on a client vm 
would be able to use tcpdump or wireshark to see everything the host and 
other clients see on a bridged interface. I'm not sure how the nat 
interfaces work in that regard - but again you could do it from windows 
too.  You have some control over who can access each machine in that you 
can only connect to a machine if you have execute permission on its 
*.vmx file that has the machine definition.   You should be able to 
pre-create an uninstalled vm, copy it for each user and with appropriate 
ownership and mode settings, each user will only be able to see and 
start his own VM.  Only one will be able to grab 'real' resources like 
the host CD,floppy, sound, or usb devices at at time, though.  I think 
the system will permit a user to increase the ram his vm will see, but 
top or ps on the host would show the real resource usage by vm.

-- 
   Les Mikesell
    les at futuresource.com




More information about the K12OSN mailing list