Timeline for Can I create a *super* super-user so that I can actually have a user that can deny permission to root?
Current License: CC BY-SA 3.0
16 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Sep 7, 2017 at 0:51 | comment | added | Nathan Smith | @fpmurphy1 Virtualbox is an open source project. Assuming it does not support applying the kind of controls & restrictions we're talking about, you're welcome to code it in yourself. If you're not up to that kind of task, what makes you think that you're going to improve anything by messing with the fundamental permissions model of your OS? I know I wouldn't... | |
| Sep 6, 2017 at 8:48 | comment | added | ctrl-alt-delor | @fpmurphy1 “let us” is abbreviated to “let's”, not “let\s”. | |
| Sep 6, 2017 at 8:47 | comment | added | ctrl-alt-delor | @fpmurphy1 within the guest you have full root. However it is not the same root as root on the host. Therefore it is a lesser root than the host root. Docker will allow things to be more integrated, but still put restrictions on root. | |
| Sep 6, 2017 at 2:59 | comment | added | fpmurphy | @ctrl-alt-delor. Let\s take VirtualBox as an example since you mentioned it. I install a Linux guest. How does VirtualBox give me the ability to restrict what the guest's root user does within the guest VM? | |
| Sep 5, 2017 at 9:21 | history | edited | ctrl-alt-delor | CC BY-SA 3.0 | no need to add note that you edited it. |
| Sep 5, 2017 at 9:19 | comment | added | ctrl-alt-delor | @fpmurphy1 virtualbox, docker, xen … Root in side a guest system, can-be / is restricted and has much less abilities than in the host. | |
| Sep 5, 2017 at 3:45 | comment | added | Nathan Smith | hypervisor can by definition change anything about the system state. whether existing commercial tools provide a reasonable way to do achieve OP's goals using a hypervisor is another question & a claim I don't feel qualified to make | |
| Sep 5, 2017 at 2:08 | comment | added | fpmurphy | @NathanSmith. I am curious, please name one existing commercially available hypervisor that provides the ability "to enforce arbitrary restrictions on root user" | |
| Sep 4, 2017 at 20:37 | comment | added | Nathan Smith | @ctrl-alt-delor Thanks for your fix, but I don't think grammar was the problem. I clarified what I meant to say though, & I appreciate the feedback that my thoughts weren't clear at first | |
| Sep 4, 2017 at 20:33 | comment | added | Nathan Smith | @fpmurphy1 a hypervisor can hook system calls, apply policies, etc. to enforce arbitrary restrictions on root user or any other part of the guest OS. Maybe my answer isn't good because this is way too much work unless you've got some real enterprise use case or something though... | |
| Sep 4, 2017 at 20:29 | history | edited | Nathan Smith | CC BY-SA 3.0 | edit for clarity, since people apparently misunderstood my answer |
| Sep 4, 2017 at 8:32 | history | edited | ctrl-alt-delor | CC BY-SA 3.0 | fixed gramma, to make it clearer with may around the guest and host are. |
| Sep 4, 2017 at 8:30 | comment | added | ctrl-alt-delor | This answer starts ok, but then grammatically goes astray (it is then reading the wrong way around, or at least ambigues). I did a fix. | |
| Sep 4, 2017 at 4:54 | comment | added | fpmurphy | How does a hypervisor prevent a user with root permission from doing anything they wish to do in a guest VM? | |
| Sep 4, 2017 at 1:23 | review | First posts | |||
| Sep 4, 2017 at 2:47 | |||||
| Sep 4, 2017 at 1:23 | history | answered | Nathan Smith | CC BY-SA 3.0 |