Re: [Vserver] Capability suid ?
* Gregory (Grisha) Trubetskoy ([EMAIL PROTECTED]) wrote: Has there been any discussion of having a feature whereby a binary would be executed with higher capabilities automatically? This can be done with two ways. Normail setuid-root will elevate, and then some LSM modules like SELinux and LIDS can define which capabilities a program will get when it's exectued. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] future 2.6 development ...
* Tim Freeman ([EMAIL PROTECTED]) wrote: Does anyone know where the LSM framework is sufficient to implement vserver? I know that the context specific hostname and IP (when binding to INADDR_ANY) didn't fit cleanly into LSM hooks. I created a list quite some time back, if no one has more uptodate info I can reproduce it. The grsecurity patches, for instance, don't use LSM because it isn't flexible enough. The primary area that grsec doesn't fit is when it strays from standard access control (the PaX and audit bits spring to mind). thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
[Vserver] Re: libcap maintainership
* Linas Vepstas ([EMAIL PROTECTED]) wrote: On Mon, Nov 10, 2003 at 09:36:48AM -0800, Chris Wright was heard to remark: * Linas Vepstas ([EMAIL PROTECTED]) wrote: Well, I found the output of getpcap cryptic, and was unable to Google up any documentation that was 'adequate'. Have you looked at the manpages with libcap source[1]? I agree, the output is odd, but there are some docs that help decipher it. [1] http://www.kernel.org/pub/linux/libs/security/linux-privs/kernel-2.4/ Hmm, yeah. Actually, it does help; with only some 'minor' complaints: -- there's still no manpages for 'getpcap' etc. (although the cap_to_text manpage is pretty good). Yes, that's the one I was thinking. -- No one has maintained this thing since 1999 ... It needs a home, either at savannah.gnu.org or at sourceforge My question is: is there any active maintainer for this thing? any mailing lists? I'm vaguely thinking of tweaking the thing, but have nowhere to send patches ... any suggestions where a home (i.e. cvs, mailing list, bug tracker) for this thing should be created? There is an old (like quiet for months/years at a time) list on sourceforge. [EMAIL PROTECTED] http://sourceforge.net/projects/linux-privs/ You might try Andrew Morgan directly. If you don't hear back from him, I can help resurrect this. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] An interesting problem/bug with IP aliases
* Jacques Gelinas ([EMAIL PROTECTED]) wrote: $ /sbin/ip addr add 192.168.0.0/24 dev eth0 $ /sbin/ip addr add 192.168.0.1 dev eth0 $ /sbin/ip addr add 192.168.0.2 dev eth0 $ /sbin/ip addr list inet 192.168.0.0/24 scope global eth0 inet 192.168.0.1/32 scope global eth0 inet 192.168.0.2/32 scope global eth0 Now if I do $ /sbin/ip addr add 192.168.0.0/24 dev eth0 $ /sbin/ip addr add 192.168.0.1/24 dev eth0 $ /sbin/ip addr add 192.168.0.2/24 dev eth0 $ /sbin/ip addr list inet 192.168.0.0/24 scope global eth0 inet 192.168.0.1/24 scope global secondary eth0 inet 192.168.0.2/24 scope global secondary eth0 Now if I delete 192.168.0.0, I am loosing then all. Yup, this latter example is what happens with ifconfig. I have review this problem. I realise now why most people have not experienced this problem. If you set an IP alias (using whatever tool) on eth0, using the same network as currently defined on eth0, then the aliases become all secondary and you loose the aliases definition only if you unconfigure eth0, which you seldom do. We have withness this problem because we generally use private networks inside a host server and all the vservers are hook to this network. We do this to achieve physical network failover. All our server have 2 nics and using gated the internal network used by the vservers is advertised on both nics. Using the ip addr add 192.168.0.0/24 dev eth0 above should cure our own problem. I realise this is not a typical setup. We have seen similar problems in the linux-ha project. Use of ip instead of ifconfig gives much better flexibility, IMHO. Hope it's working for you now. thanks, -chris -- Linux Security Modules http://lsm.immunix.org http://lsm.bkbits.net ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver