New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
How guest OS can prevent host OS executing commands on it?
Hello,
when having OpenVZ or a KVM VPS, can i run some task that will kill/terminate all commands from the host server, like vzctl exec, vzctl enter and others so i prevent host entering or executing commands on guest?
I can run some script like
while true;do
for vzpid in $(ps ax|grep "vzctl"|grep -v grep|awk '{print $1}');do kill -9 $vzpid;done
done
But not sure if that would be effective. Is there any better way that will not hurt VPS performance and be effective?
Comments
You are kidding, aren't you?
Remove /bin/bash and /bin/sh inside the VPS, the host will not be able to do vzctl enter.
When removing /bin/bash and /bin/sh, you won't be able to execute any script within the VPS yourself. Booting the VPS may even become impossible as some boot scripts may rely on bash or sh to execute.
_
@Bafly i know But you should look at this user's previous history here, and the kind of questions he asks all the time.
Now to the question - you could modify /bin/sh and /bin/bash to check the name of their parent process and refuse to run (or do something else) if the name is vzctl.
@postcd
If the host really wants to get in your container, they could simply enter /vz/root/yourctid and find all your files there.
Now, a host could also just terminate that script of yours and then vzctl enter :P
The short answer is definitely No.
You can make it difficult for the VPS provider, perhaps very difficult, but not impossible. If the provider has very strong technical skills along with the time and interest, the provider can make your VPS run whatever they want.
P.S. ... and with more time and effort, they can make it impossible for you to detect.
renames vzctl to init
ALT+F4
sir.
Looking at the posting history, god bless your provider.
power off should do