LVS
lvs-users
Google
 
Web LinuxVirtualServer.org

Re: [lvs-users] Single-lan config?

To: "LinuxVirtualServer.org users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Single-lan config?
From: "David Dyer-Bennet" <dd-b@xxxxxxxx>
Date: Mon, 13 Oct 2008 15:39:33 -0500 (CDT)
On Mon, October 13, 2008 15:23, Graeme Fowler wrote:
> On Mon, 2008-10-13 at 15:13 -0500, David Dyer-Bennet wrote:
>> My desktop system is part of the corporate domain.  So are the desktops
>> of
>> the people doing Windows development.  Why would making a server part of
>> the domain be any more dangerous than that?  And that's standard
>> anywhere
>> that does Windows development.
>
> You're personally fairly unlikely to run code as a system account,
> especially when developing - you're more likely to run it as yourself.
> Of course, many developers and sysadmins make themselves admins on their
> own machines (makes installing software just *so* much more convenient
> than doing "runas") so the security arguments in those cases are
> slightly damaged anyway :)

I think "myself" is defaulting to being an admin on my desktop  --  at
least I never have any trouble installing code on this system.  (*Not* a
Windows admin expert!)

> Allowing arbitrary code (think of the mass of .NET examples out there)
> to be executed under the IIS framework is a dangerous game, especially
> (as is often the case) when it's being executed by a user with elevated
> privileges (like the Network Service user which IIRC is the default user
> for IIS code execution).
>
> This is, of course, a massive Catch-22 for hosting operations, and is
> the reason why app pools came along in IIS6 which allowed almost
> complete segregation of execution environments which themselves ran as
> non-privileged users. Much tidier than it used to be.

Yep, hosting gets complicated, that's for sure!

> In your environment you might not be exposing the web servers to that
> nasty Intertubes thingmy, which makes security all the easier to manage.

Right, we're not.
-- 
David Dyer-Bennet, dd-b@xxxxxxxx; http://dd-b.net/
Snapshots: http://dd-b.net/dd-b/SnapshotAlbum/data/
Photos: http://dd-b.net/photography/gallery/
Dragaera: http://dragaera.info



<Prev in Thread] Current Thread [Next in Thread>