I was curious as DigitalOcean provide us with root password reset option, as I have been working towards virtualization about 3 months and never came across direct way to do so.
Like openstack offers such option only for xen, where as if I am not wrong Digital Ocean provides for KVM. Also proxmox and other stacks do not provide this option.
So I need to know how these guys managed to do so.
One thing I know is that if I can access the file system then I can edit the shadow file but, In virtual environment Machine is in templete form not in Open File system state.
I was wondering if there is any root backdoor in OS itself provided by DO using which they change password on request ?
Thanks
If you turn off your virtal machine, all you have is the whole "virtual hard drive" file on "real hard drive" in a real machine. It's a common file system that can be parsed and managed from outside with no problem (unless it is encrypted).
So there's no reason for you to NOT be able to access the filesystem of the virtual machine, including the shadow file.
This is typically done using cloudinit... No hackery involved
Related
My supervisor is pushing developers to install any compiler (Visual studio etc) on a virtual machine vs desktop. His argument is, it is more secure to put compiler on virtual in case desktops are hacked. But if i can access virtual machine from my desktop then hacker can too. I am just trying to understand why it is more secure to put compiler on virtual. Thank you.
If virtual machine is hosted in the cloud(public/private/internal) then probably somebody else is managing security in the cloud. That case probably it is almost certain that it will provide more security then bare desktop.
However we are relying on the somebody.
If your VM is running on desktop hypervisor, then I would prefer doing all work on the VM. In hacking scenario, I would still have my desktop, while VM may be gone.
I have seen something similar when Ransomware attack happened, all windows desktop were gone including local filesystem/vms, but only VM running Windows were affected, and hypervisor and local filesystem were all good if running non-windows host os.
Not sure if it answer your question, but putting my perspective on what I have seen so far in the industry.
I have a project and the files are on Guest OS (Red Hat Enterprise Linux) with Virtualbox, my host OS is Mac OS. I used to coding right in RHEL with editor Atom. But my boss told me that it's inefficient to code in a Guest OS, well, it makes sense because Mac OS or Windows is more responsive than linux, so I changed my way:
Copy the whole project located on RHEL to a share folder between Mac OS and RHEL using rsync
Code with Atom in Mac OS
Copy back the project in share folder to the original project in RHEL by rsync
I'm using Atom (not vim in RHEL) because it can edit the whole project in one window which is convenient for my situation. But there is a problem: after copying back the project in Step 3, git status shows everything has been changed even though I just edited only a few files. That is a little annoying.
Is there any better way to code in such environment? any advice is appreciated.
BretzL's suggestion to use shared folders is a good one, but I think it's important to address the underlying issue: your boss' assumption about coding being inefficient or slow just because you're working on a VM is simply not true.
It sounds like your new workflow, which was instituted as a result of his/her advice, is causing you to have a harder time developing that you did on the VM. The shared folders will help with that, but if you have the VM configured to have access to enough cores and memory, then its performance for most tasks will be fine, and there may not be any problem with developing on the VM directly. I do a significant amount of development on a VM, and haven't had any issues. You may experience slower builds on the VM if you're building whole kernels or other large projects, but if that's not the case, it should be fine.
If you didn't have any performance or productivity problems before forcing yourself to work outside of the VM, then... it wasn't a problem.
(I also have an issue with the assumption that Linux is always less responsive than Windows or Mac OS, but that's a debate for a different day.)
VirtualBox supports shared folders, so you dont need to rsync back and forth. Just mount the shared folder into where your application server on RHEL guest expects the code.
I also recommend you take a look at https://www.vagrantup.com/ for managing developer VMs.
I'm a (noob) administrator of a little network. For business purpose I have some Windows 7 PCs and a 2008 Server.
While doing the setup, something has come to my mind: is it possible for a user without high privileges to install some kind of software using a live usb?
Ok, it's possible to reset admin password, manage partitions, etc. but can someone do that without change admin settings? just putting software in admin's (or else) directory and editing the windows register?
Thanks!
I would say: Yes. If someone manages to boot the machine from a live usb-stick, cd, dvd or whatever, he can:
Mount the disk with the windows-installation.
Read and Write to that disk.
Install software on that disk: Installing software is not much more than copying files from one place to another.
Possibly modify the registry: The registry must also be stored somewhere on the disc. If the user can access that file, he can modify it and therefore modify the registry (its another question if this are valid manipulations).
You can prevent access to the harddisk by using Windows 7 BitLocker.
It is not possible to mount the drive from a live system when it is activated:
Here is a guide how to do this:
BitLocker Guide
On most operating systems today, the default is that when we install a program, it is given access to many resources that it may not need, and it's user may not intend to give it access to. For example, when one installs a closed source program, in principle there is nothing to stop it from reading the private keys in ~/.ssh and send them to a malicious third party over the internet, and unless the user is a security expert proficient in using tracing programs, he will likely not be able to detect such a breach.
With the proliferation of many closed sourced programs being installed on computers, what actions are different operating systems taking to solve the problem of sandboxing third party programs?
Are there any operating system designed from the grounds up with security in mind, where every program or executable has to declare in a clearly readable format by the user what resources it requires to run, so that the OS runs it in a sandbox where it has access only to those resources? For example, an executable will have to declare that it will require access to a certain directory or a file on the filesystem, that it will have to reach certain domains or IP address over the network, that it will require certain amount of memory, etc ... If the executable lies in its declaration for system resource requirements, it should be prevented from accessing them by the operating system.
This is a the beauty of Virtualization. Anyone performing testing or operating a questionable application would be wise to use a virtual machine.
Virtual Machines:
Provide advantages of a full Operating System without direct hardware access
Can crash or fail and be restarted without affecting the host machine
Are cheap to deploy and configure to a variety of environments
Great for using applications designed for other platforms
Sandboxes applications that may attempt to access other private data on your computer
With the seamless modes virtualization programs such as VirtualBox provide you can take advantage of Virtual Machine's sandboxing in a nearly seamless fashion.
You have just described MAC (Mandatory Access Control) in your last paragraph.
I was always curious about that too.
Nowadays mobile OSes like Android do have sandboxing built-in. When installing an app, it asks for permissions to access a set of resources/features. Windows too as far as I know, at least to some extend. It is more permissive though.
Ironically, linux and others seem to be far far away concerning "software based permissions" and are stuck in the past, which is a pity. ...at least, as far as I know. I would be pleased for someone to show me wrong and show me a "usable" open source system where application sandboxing/privileges is built-in. Currently, as far as I know, permissions are solely user based.
I think this awareness that not only users need rights to access documents but also executables need rights to access resources has been missing for several decades. It might have avoided a plague of viruses and security issues of our century.
I've been reading into virtualization security and came across Blue Pill, a malicious thin hypervisor (project website is down, archived version here: http://web.archive.org/web/20080418123748/http://www.bluepillproject.org/).
My question is: could a custom malicious hypervisor modify execution flow, inject and execute arbitrary code, look at private information in RAM of the VM or anything else?
I'm not asking whether this would be practical from a malware point of view (to implement these features, it may turn into a large and impractical backdoor). I'm interested in whether the malicious hypervisor would have complete control over every aspect of the virtualized machine.
Would there be any difference for this when it comes to a program like VirtualBox - could the Host OS execute arbitrary code inside the guest at any time it choses?
Any thoughts would be highly appreciated!
Thanks in advance,
r3mo
Yes, the hypervisor is running at a higher privilege level than the guest VM so it could easily modify the execution flow and read arbitrary parts of the VM.
The same is true for VirtualBox. The host OS can alter the guest provided that you have full access/permissions on the host OS.