-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
On Thu, May 19, 2022 at 07:25:43AM +0000, Robert wrote:
> On 5/19/22 01:18, Demi Marie Obenour wrote:
> > *nix TemplateVMs and TemplateBasedVMs are in the rather unusual position
> > of having a /etc that is effectively public, in that it is shared with
> > untrusted code.
>
> > What is the recommended solution to this? Should /etc/ssh and
> > /etc/pki/tls/private be part of the private volume by default
> Why not have the user deploy security-sensitive data into the VMs using
> bind-dirs?
That is exactly what I was intending, but given that some directories in
/etc should almost never be shared, I figured that they might belong in
the default bind-dirs. The whole purpose of this is to reduce the
likelihood of user error.
Another option would be to use an overlayfs, as is done for the kernel
module directory. This might be a better choice for /etc/ssh.
- --
Sincerely,
Demi Marie Obenour (she/her/hers)
Invisible Things Lab
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEEdodNnxM2uiJZBxxxsoi1X/+cIsEFAmKGT6UACgkQsoi1X/+c
IsF98g/+JwZ+IsIGQYiFY80jz3Tr//yuNEK4fRb26wl2vUFO1G1iYe7ShSZcxCsx
9ijoyqecJTQBL0Edrbs9I8s5VLiZrwF6Jk5IGh8SUD9+XJGCL8pPpN6DE/dYLaL4
f+nhEXxqQ8AttgVfX4WZv9g2sr8vPvUwNMBqQ3AOGwtYQ1SFX6jW8gjcIImxm//i
/msknNjKQvHEvTIsSsjttiQzToc9Evhw/7KrHWYqbpyQ0mMapeqoEzGW5Ly8cWgI
2ZwadXqxs7INMxQgO9fmWnJRIkgPVRLL21XCNT51zTIegkfzPhL95TOjyh/fwTGj
x+7lI9CXU6NyAMtVih3okOdhWWfVPyTA6NFY2gINeTzYW1jZVlfQCjoCq4S8zKKr
hNhFVxbj9H1DATyCR7kh+emVM4QihCklTJojvCFmmziBXBXaBJpQpOe/aG3nGxKD
sC1sYNwai7ieJV/EGTSpGiAmIDclyz/h4S0gh+BfQYtBLb3RBg8EnP6z/RLSH6oz
uROKAKalLE4vXjvOvJl53B44RSLbp61CflNuqS4ikne9aoZtKRGqlX/dRKo6G5p1
QlfIP1+ohWb62NNkjDwnNDFyjgCT81ci6xXco9wHXD/op1govz3y0c12fO0YJo7G
bSUA6sIzUs0sNPs4zhT19Jd19Qa/KAVlmIyUh/xyEqNhhnWdxfs=
=2UIK
-----END PGP SIGNATURE-----