

Ask HN: Do user-mode exploits render Heroku (and similar) too dangerous to use? - wrs

The recent privilege escalation exploit in Linux prompts me to ask this.<p>Heroku runs multiple application instances (20 or more) on a single Linux VM. As they put it, they rely on "battle-tested Unix permissions" to separate applications. However, it is clear that each step in the deployment spectrum from dedicated server to VM to process increases the attack surface.<p>It seems that a user-mode privilege escalation in Linux would render Heroku applications vulnerable to each other. Furthermore, by simply increasing the number of dynos and issuing a bunch of requests, an evil application would be automatically deployed on a large number of victim instances, coming into contact with hundreds or thousands of other applications.<p>What effect does the probability of a 0-day exploit like this have on the practicality of Heroku, and any similar shared hosting platform? Obviously this is hard to quantify, so feel free to answer with an educated guess.
======
_delirium
It's not an identical question, but people have been debating versions of this
question since the first local-root exploit in a multiuser Unix system. Is it
safe to run multiuser Unix systems in general? The answers seem to range from
"no" to "maybe", but plenty of people still manage to run reasonably open
multi-user systems (e.g. <http://sdf.lonestar.org/>, not to mention many
universities' Unix servers) without great amounts of carnage. One major
mitigating factor is attempting to make sure all users with accounts are tied
to real identities, so you can deter misuse via the threat of real-world
consequences. That and patching quickly, and not installing unnecessary suid
things that can increase the attack surface (a few of the privilege-escalation
bugs in recent memory have been via the X server).

