Security :: Security Implications Of Running A GUI In A VM?
Aug 24, 2009
I was wondering about the security implications of running a GUI in a VM. I know that a GUI adversely affects security, but don't know how this works when visualization is thrown into the mix.
1. Is the security of the host OS affected by the presence of a guest OS with a GUI, or is it just the guest OS that would take the hit?
2. If the host OS does not have a GUI, and the guest OS does have a GUI, would it be possible to see the GUI of the guest OS?
View 14 Replies
ADVERTISEMENT
Mar 17, 2010
I am surprised (from the searches I carried out on the net) that no one seems to have considered this danger so far as I can see...I'm a little concerned about the implications on security for algorithms that opaquely shift data blocks around on disks to even-out surface wear rates.In the good old days, if I wanted to wipe a file that documented my struggle to give up frosted strawberry donuts (for example) I knew where that file started on the disk and how long it was and could thus instruct the OS to wipe it with complete confidence.
Nowadays, however, with increasingly sophisticated use being made of W-L techniques and fancy, journaling file systems that separate meta-data from file content and whatnot and so forth, how can I still be sure that when I try to overwrite a personal and private file, that i AM actually doing precisely THAT, and not just nuking some virtual image of the thing which in reality remains preserved elsewhere on the disk?
View 9 Replies
View Related
May 23, 2011
Can I have both ufw and iptables running together? My server is currently using ufw, if I add an iptables rule will it have any effect?
View 6 Replies
View Related
Mar 18, 2010
What the most harmful thing can malware program started as separate limited user account do if it has access to the X server? Network and filesystem things are already considered by chroot and netfilter.
It obviously can lock the screen and I will need to switch to other vt and kill it manually. Can it for example disrupt other GUI programs on the same X server (access a root terminal in nearby window)?
I know that it is safer to run it in separate X server, for example, in Xtightvnc or even some virtual machine, but how dangerous is to just run it like other programs?
View 3 Replies
View Related
Apr 1, 2010
I was wondering how one could set up tcpdump to run in the background, dumping all output to a file until I terminate the process.Here is the dilema... I SSH into the box that will be listening (using tcpdump)...
ssh> sudo tcpdump -i eth0 > dump_file
yadda yadda...
then if I exit my ssh session, tcpdump closes.
If I do a...
ssh> sudo tcpdump -i eth0 > dump_file &
[1] 12938
yadda yadda.
View 7 Replies
View Related
Oct 11, 2010
I'm running behind a 2wire NAT Router with only have smtp, www, pop3 open routing to my ubuntu VM server. Network also includes three other ubuntu VM server's and a Desktop. I'm the only one on the network so my question is, what security risk is there running WireShark as root? Because running it under dumpcap is horrible after you quit. It hogs up all the resource to remove the dump.
View 7 Replies
View Related
Feb 5, 2011
I installed fail2ban from the Ubuntu Software Center (Ubuntu 10.10) and everything seemed to go fine. But when I try to access the client I get this output:
Code:
wolfgang@Culture:/var/log$ fail2ban-client status
ERROR Unable to contact server. Is it running?
[code]....
View 2 Replies
View Related
May 7, 2011
To: The Cog >>>
Code:
The Cog, heres the reszults for ps -ef | grep tty:
yo mama@blah:~$ ps -ef | grep tty
[code]....
View 9 Replies
View Related
Jul 18, 2011
I have a problem using PGP encryption. I am running Windows 7 operating system. I have PGP working perfectly fine when running manually through DOS mode (cmd.exe): gpg -ase --always-trust --batch --passphrase myphrase --output c: estdir estfile.csv.pgp -r someword c:estdir estfile.csv
Now the problem happens when I am trying to run same script in Perl in the browser (Perl + IIS are installed locally on my PC). The error I am getting is: gpg: no default secret key: No secret key gpg: C:\testdir\testfile.csv: sign+encrypt failed: No secret key
From what I understand, the secret key is created under my user profile. IIS runs under some default user name, so it does not see the secret key. I am not sure how to solve this problem.
View 1 Replies
View Related
Jan 2, 2010
I've written an article on my site which lays out steps for installing Wine and running it under its own, separate user account, so that Windows applications cannot access personal files (particularly those in your home directory).[URL}..i'm hoping that there are people on this forum who know Ubuntu inside-out, as I'd like to know how effective the described method is at trapping Windows applications so that they cannot read or write personal files or directories.
The way I understand it, once the process is running under user account wine, it's stuck with the access privileges of user wine. But are there ways in which a rogue application could break out of this prison and gain access to whatever it wishes? I'm guessing that such behaviour would mean someone customising Windows software to recognise Linux, and that such a thing is very unlikely, but I'm still interested to hear what gurus of the Ubuntu internals think of this method.
View 2 Replies
View Related
Jan 10, 2010
I am trying to run eclipse with administrator rights so that it can access any folder on my system.
View 9 Replies
View Related
Apr 21, 2010
I have a virtual private server running ubuntu server edition that I have set up as an openvpn client. The problem I have is that the moment I turn on openvpn, I am no longer able to ssh into the machine. Is there a way to enable me to connect to it even when it is tunneling?
View 4 Replies
View Related
Sep 25, 2010
I wanted to know if I install Ubuntu on my virtual PC on Windows 7 is it just as secure?
If I have a keylogger or some spyware will that affect the session I have running on the Virtual PC? Can they still steal my passwords?
View 8 Replies
View Related
Apr 5, 2011
I'm trying to modify an existing user so that any files they create can be at least read (although writing and execution would be nice) by any other user. The reason is because I need the daemon running my Apache server to be able to access files created by a daemon running under this user, files which will be created and accessed in real-time.
View 3 Replies
View Related
Jun 3, 2011
Ok, so I have a few web apps that need to run shell commands. Heres a great example of one:
Code:
This is a PHP script getting my system volume. Herein lies the problem... www-data doesn't have permission to do this!
I changed my apache config to use MY account as the web user, and it does in fact work the way I want it to.
Obviously, I dont want to leave apache running as me, and want it to keep using www-data.... heres my question... how can I give permission for www-data to execute certain programs?
View 3 Replies
View Related
May 3, 2011
I'm building a new machine with slackware 13.37 64bit and so far all has gone well except for secure smtp. My previous setup was with slackware 13.1 32bit which worked fine. If I run with (`confAUTH_OPTIONS', `A p y') in my sendmail config it shows "AUTH warning: no mechanisms" in my maillog and obviously fails to authenticate. When I take the 'p' out and run with (`confAUTH_OPTIONS', `A y') then it does list the defined confAUTH_MECHANISMS and works. I would prefer to run with the 'p' option and require the security layer.
Most of my setup guidance has come from the "Sendmail SMTP AUTH Howto":
http://www.linuxquestions.org/questi...-howto-224543/
The Sendmail "TLS SASL SMTP-AUTH" page on slackwiki:
http://www.slackwiki.org/Sendmail_TLS_SASL_SMTP-AUTH
And this page for debugging "How to test Sendmail SASL Authentication":
http://networking.ringofsaturn.com/P...entication.php
[Code]...
My hope is that I'm just missing something simple. Does anyone have insight into why adding the 'p' to confAUTH_OPTIONS is causing this behavior?
View 2 Replies
View Related
May 8, 2011
I'm building a new machine with slackware 13.37 64bit and so far all has gone well except for secure smtp. My previous setup was with slackware 13.1 32bit which worked fine.
If I run with (`confAUTH_OPTIONS', `A p y') in my sendmail config it shows "AUTH warning: no mechanisms" in my maillog and obviously fails to authenticate.
When I take the 'p' out and run with (`confAUTH_OPTIONS', `A y') then it does list the defined confAUTH_MECHANISMS and works.
I would prefer to run with the 'p' option and require the security layer.
Most of my setup guidance has come from the "Sendmail SMTP AUTH Howto":
My goal is to be able to send mail remotely with secure authentication. If the way I'm trying to go about it is old and there is some newer/better way I'm happy to go with that - but sendmail/saslauthd has worked for me in the past.
Sendmail is version 8.14.4 and looks like it has the necessary options compiled in:
Code:
saslauthd is version 2.1.23 and supports shadow:
Code:
I did discover the need to link /etc/sasl2 to /usr/lib64/sasl2 and created the Sendmail.conf file there:
Code:
Here's the sendmail configuration script I'm using. Its really just the vanilla /usr/share/sendmail/cf/cf/sendmail-slackware-tls-sasl.mc file with my cert file names:
Code:
When I try to connect with (`confAUTH_OPTIONS', `A p y') in the config here is the output I get in maillog (none of the other logs seem to show anything and I dont see any errors/warnings when I restart sendmail):
Code:
If I change the option so its just (`confAUTH_OPTIONS', `A y') then it does work and this is the log output I get:
Code:
My client is configured to use SSL and when I go through the setup, it does appear to authenticate against the smtp server and it validates. The fail comes in when trying to actually send mail.
Does anyone have insight into why adding the 'p' to confAUTH_OPTIONS is causing this behavior?
View 4 Replies
View Related
Dec 30, 2010
I've a Linux box with few users (with shell). I would like to prevent normal users see all the processes running on the box. How can I implement this?
View 1 Replies
View Related
May 26, 2011
I'd like to run a Tor relay, but am trying to understand the security implications. For some time I've run my torrent client in a VirtualBox virtual machine, which is run as a very non-prived user, bridges directly to The Internets, and writes to one directory on the host. My belief is this is about as secure as it can be, but am open to suggestion.If I run a relay in the VM it wouldn't be associated with my use of Tor as a client, which is fine since there is no technical need for them to be connected and it's desirable for security.I read that chroot jails can be broken, particularly when run as root, so I don't really trust that. Also studied a vserver, but it must share the network setup which doesn't strike me as isolated enough.
View 14 Replies
View Related
May 22, 2011
love security/pentest tools. This script adds ALL the tools from the Security Spin, plus Metasploit. Feel free to modify it if need be.
View 12 Replies
View Related
Jan 19, 2010
ubuntu 9.10 login panel is worse with respect to ubuntu 8 since now all the users with names are shown without a way to hide them!Why don't keep the old way at least as an option?
View 5 Replies
View Related
Oct 15, 2010
To avoid having to input a password for the keyring each time I connect to the net via wireless, I enabled the 'Available to all users' option in Network Manager. Now, my question is this. Are the 'users' it refers to just those created on this machine? Would a drive-by be able to use my network without entering the password?
View 3 Replies
View Related
Jan 17, 2011
1. I understand you can protect your files or directories in your website by setting file/directory permissions. The meaning of r w x is clear to me, but I'm not sure how to proceed... Starting with the index.html file, if I wanted to make it so that anyone in the world can read it but can't modify it, do I set its permissions to rwxr-xr-x? If I set it to rwxr--r--, would that mean the file couldn't be served? I mean, what does the x setting do on a .html file, how can a .html file be executable?
2. If file permissions work on the lines of owner-group-others, in the context of a website, who is 'group'? As far as I can tell, there's only the owner, which is me, and others, which is the world accessing the site. Am I correct in thinking that by default, say when creating a website on a shared hosting server, there is no group unless I specifically set one up?
3. My ISP allows the DynDNS.org service, meaning that I could serve a website from my home. It's too early to go that route just yet, but for future reference, I would like to ask about the server software called Hiawatha. It is said to be secure, but having read some evaluations of it, it doesn't seem to offer anything that couldn't be accomplished with Apache or Cherokee, it's just that its security settings are simpler and easier to configure. Am I right about this? Or does Hiawatha truly offer something that the other major server packages don't?
View 9 Replies
View Related
Apr 13, 2011
this is the allert i got:Code:Summary:Your system may be seriously compromised! /usr/sbin/NetworkManager tried to loada kernel module.Detailed Description:SELinux has prevented NetworkManager from loading a kernel module. All confinedprograms that need to load kernel modules should have already had policy writtenfor them. If a compromised application tries to modify the kernel this AVC willbe generated. This is a serious issue.Your system may very well be compromised.Allowing Access:Contact your security administrator and report this issue.Additional Information:
Source Context system_u:system_r:NetworkManager_t:s0
Target Context system_u:system_r:NetworkManager_t:s0
Target Objects None [ capability ]
[code]....
View 5 Replies
View Related
Mar 19, 2009
I decided that I'd torture myself and try to get a server up and running with SELinux fully enabled. I so far have figured out virtual hosting, vsftpd, and SSH to work with it nicely, but I can't figure out what to do to get AWstats to be viewable through a browser with SELinux enabled. This is what I get from /var/log/messages:
Code:
Mar 19 15:09:34 localhost kernel: type=1400 audit(1237496974.987:69): avc: denied { getattr } for pid=4769 comm="httpd" path="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" dev=sda1 ino=1267968 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_awstats_script_exec_t:s0 tclass=file
Mar 19 15:09:34 localhost kernel: type=1400 audit(1237496974.987:70): avc: denied { getattr } for pid=4769 comm="httpd" path="/usr/share/awstats/wwwroot/cgi-bin/awstats.pl" dev=sda1 ino=1267968 scontext=unconfined_u:system_r:httpd_t:s0 tcontext=system_u:object_r:httpd_awstats_script_exec_t:s0 tclass=file
Could someone explain to me what I should be looking for in these messages? Or what I would need to do to fix it?
View 2 Replies
View Related
May 21, 2009
I want to prevent users changing the wallpaper, as i couldn't found any direct method I thought of preventing the /usr/bin/gnome-appearance-properties being running,
I know that the user also can set the wallpaper without running that . But didn't found any other way .
I tried to use SELinux to it and I'm stuck at writing a own policy.
According to SELinux, it prevents everything ., but as i have mapped the user to a SElinux user ,even though he can use administrative tasks , he can run the appearance window. that means he has got the permission from a different policy , Currently I'm stuck at this place.
Suitable way to prevent the wallpaper being changed by the normal users.
View 1 Replies
View Related
Aug 29, 2009
I like to keep top/htop running rkhunter showed up randomly. I didn't launch this. f11, 2 day old install, fully updated.
View 2 Replies
View Related
Jan 11, 2010
I have ubuntu 9.10, and installed the latest lampp with default options. Apache/Mysql/Proftpd would start and stop fine. I then did:
...which I got from here...[url] Although I'm pretty sure I was never prompted for the mySQL password. At any rate, now mySQL will not start (Apache and ProFTP are OK). Where can I start debugging this? Where is the conf file for mySQL?
View 1 Replies
View Related
Feb 14, 2010
My wife was using cryptkeeper fine, then she right-clicked the keys on the panel and did something, I'm not sure what. Anyway, the keys you click on to open the encrypted folder are gone and I can't figure out how to get them back. System monitor shows cryptkeeper running. I can kill it and re-start it, but the keys don't show on the panel. I'm running ubuntu 9.10.
View 1 Replies
View Related
Mar 8, 2010
I don't think it would be harmful to run ssh on the default port of 22. Especially since the machine will only accept key-based logins and only accept traffic on port 22 from external IP addresses that I specify.
View 8 Replies
View Related
