Ask HN: Do user-mode exploits render Heroku (and similar) too dangerous to use?

[wrs]

The recent privilege escalation exploit in Linux prompts me to ask this.

Heroku runs multiple application instances (20 or more) on a single Linux VM. As they put it, they rely on "battle-tested Unix permissions" to separate applications. However, it is clear that each step in the deployment spectrum from dedicated server to VM to process increases the attack surface.

It seems that a user-mode privilege escalation in Linux would render Heroku applications vulnerable to each other. Furthermore, by simply increasing the number of dynos and issuing a bunch of requests, an evil application would be automatically deployed on a large number of victim instances, coming into contact with hundreds or thousands of other applications.

What effect does the probability of a 0-day exploit like this have on the practicality of Heroku, and any similar shared hosting platform? Obviously this is hard to quantify, so feel free to answer with an educated guess.

[_delirium]

It's not an identical question, but people have been debating versions of this question since the first local-root exploit in a multiuser Unix system. Is it safe to run multiuser Unix systems in general? The answers seem to range from "no" to "maybe", but plenty of people still manage to run reasonably open multi-user systems (e.g. http://sdf.lonestar.org/, not to mention many universities' Unix servers) without great amounts of carnage. One major mitigating factor is attempting to make sure all users with accounts are tied to real identities, so you can deter misuse via the threat of real-world consequences. That and patching quickly, and not installing unnecessary suid things that can increase the attack surface (a few of the privilege-escalation bugs in recent memory have been via the X server).