[Vserver] CAP_SYS_ADMIN, how unsecure it is within vserver
Hi, I am testing out vserver(1.2.10 on 2.4, not ready for 2.6 yet because of stability issue unrelated to vserver) and I am wondering what is the impact of giving CAP_SYS_ADMIN to it. Without it, I cannot mount within vserver but I see mount as a legitimate use like mounting CIFS/NFS or FUSE related file systems. Oh, while I am at it, what capability is needed so that I can setup vpn(pptp, openvpn etc.) within the vserver or it will the vserver no longer virtual(too much rights so it can get out of the jail)? thanks in advance for any help. regards, gary PS. please CC if possible as I am not on the list __ Discover Yahoo! Use Yahoo! to plan a weekend, have fun online and more. Check it out! http://discover.yahoo.com/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Start-Up Scipts
On 2005.05.27 18:15:34 +0200, Oliver Welter wrote: Hi List, I have a little problem with vserver Start-up scriots... I am running Gentoo Host/Guest with 2.6.9 kernel and vserver-tools 0.30.196 1) I have a vServer called wwwmain - I added a script wwwmain.sh in /etc/vservers/ but it seems that this is never executed.. Then you are probably using a new style configuration, the vservername.sh is for the old style. The flower page lists the various start/stop script possibilites. HTH Björn ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] Confused by routing
On Fri, May 27, 2005 at 02:26:58PM +0200, Gilles wrote: Hi Herbert, Thanks a lot for this complete example. I'll muse on it (may take some time!). Two small questions, to be sure: 1. Everything is setup on the Host(s), nothing on the guest (i.e. in the pre-start.d et al. directories)? the example isn't even vserver related ... 2. Vserver and QEMU setups are the same wrt connecting to the Host and outer world? no, qemu has a virtual network which results in a tun/tap device being set up, but that is compareable to your 'real host' setup (with the bridge active) best, Herbert Best, Gilles ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] CAP_SYS_ADMIN, how unsecure it is within vserver
On Sat, 28 May 2005, gary ng wrote: I am testing out vserver(1.2.10 on 2.4, not ready for 2.6 yet because of stability issue unrelated to vserver) and I am wondering what is the impact of giving CAP_SYS_ADMIN to it. Without it, I cannot mount within vserver but I see mount as a legitimate use like mounting CIFS/NFS or FUSE related file systems. You can also mount filesystems containing device nodes. This would give you root access to the host. Secure user mounts are planned in the vanilla kernel, maybe they can be adopted for vservers. -- Top 100 things you don't want the sysadmin to say: 45. Was that YOUR directory? ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] CAP_SYS_ADMIN, how unsecure it is within vserver
Thanks. The reason I said it is legitimate use is that I saw people offer vserver based VDS solutions. After a closer examine, I think vserver is more suitable for host service only jail rather than a full featured VDS(I had one before which use uml), so mainly for internal server management(moving vserver from one machine to another is much easier). --- Herbert Poetzl [EMAIL PROTECTED] wrote: On Sat, May 28, 2005 at 04:42:04AM -0700, gary ng wrote: Hi, I am testing out vserver(1.2.10 on 2.4, not ready for 2.6 yet because of stability issue unrelated to vserver) and I am wondering what is the impact of giving CAP_SYS_ADMIN to it. well, it basically allows the vserver root to take over the host system quite easily ... Without it, I cannot mount within vserver but I see mount as a legitimate use like mounting CIFS/NFS or FUSE related file systems. no, mounting filesystems (without special security) isn't a legitimate use on a vserver ... you can do that in a more secure way with 2.6/1.9.x (but it isn't advisable anyway) Oh, while I am at it, what capability is needed so that I can setup vpn(pptp, openvpn etc.) within the you can set those things up from outside, or wait until ngnet (2.6 only) will become more mature ... vserver or it will the vserver no longer virtual(too much rights so it can get out of the jail)? thanks in advance for any help. best, Herbert regards, gary PS. please CC if possible as I am not on the list __ Do you Yahoo!? Yahoo! Small Business - Try our new Resources site http://smallbusiness.yahoo.com/resources/ ___ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver
