[tor-talk] Securing a Relay - chroot

Martin Fick mogulguy at yahoo.com
Thu May 26 17:02:39 UTC 2011


--- On Thu, 5/26/11, CACook at quantum-sci.com <CACook at quantum-sci.com> wrote:

> > So you're worrying about a compromised vserver guest
> > compromising the host, which is then used to attack
> > your LAN segment?
> 
> Doesn't even have to compromise the host.  With the
> guest in the same class C it can monitor traffic.

This is not true with a vserver, they use IP aliases,
and do not have raw access to the network interface
(unless you give them those specific capabilities).

With lxc you could give it that access, but you
could also firewall its interface from within the
host so that this is not possible (unless the host
is compromised).

-Martin





More information about the tor-talk mailing list