Re: [Vserver] bind mounts within a vserver?
On Fri, Oct 15, 2004 at 01:44:50PM -0400, Gregory (Grisha) Trubetskoy wrote: > On Fri, 17 Sep 2004, Herbert Poetzl wrote: > > >On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy > >wrote: > >> > >>Is it possible to somehow use mount --bind from within a vserver? > >>(vs1.28). > > > >not in a secure way with the 2.4 stable branch, but > >it is with recent 2.6 (vs1.9.x) devel branch ... > > Could you please elaborate on this? > > On 1.9.3-rc2.1/latest utils I see that I can mount after I give the > context SYS_ADMIN bcap, but that doesn't seem like a wise thing in a web > hosting scenario (our case) - is there some other way? yes, giving VXC_SECURE_MOUNT (a context capability) without the CAP_SYS_ADMIN (linux capability) will allow for 'secure' mounts (including --bind mounts) inside a vserver ... HTH, Herbert > Thanks, > > Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind mounts within a vserver?
On Fri, 17 Sep 2004, Herbert Poetzl wrote: On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy wrote: Is it possible to somehow use mount --bind from within a vserver? (vs1.28). not in a secure way with the 2.4 stable branch, but it is with recent 2.6 (vs1.9.x) devel branch ... Could you please elaborate on this? On 1.9.3-rc2.1/latest utils I see that I can mount after I give the context SYS_ADMIN bcap, but that doesn't seem like a wise thing in a web hosting scenario (our case) - is there some other way? Thanks, Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind mounts within a vserver?
On Fri, Sep 17, 2004 at 10:37:20AM -0400, Gregory (Grisha) Trubetskoy wrote: > > On Fri, 17 Sep 2004, Herbert Poetzl wrote: > > >On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy > >wrote: > >> > >>Is it possible to somehow use mount --bind from within a vserver? > >>(vs1.28). > > > >not in a secure way with the 2.4 stable branch, but it is with recent > >2.6 (vs1.9.x) devel branch ... > > Thanks > > >of course, after adding enough CAPs, everything is possible ... > > We do something like this to allow ping and traceroute - there is an > outside process that reenters the vserver to execute a particular command > with an elevated capability. ping and traceroute should also work fine with 2.6 devel branch ... without the need for additional CAPs .. > At first look it seems that mount --bind obeys chroot and it should be > safe for us to allow it as well, or is there some apparent security > problem with this? well, namespaces make --bind mounts secure, chroot jails might pose some security issues ... best, Herbert > There is more details on the aforementioned kludge here for those > interested: > > http://www.openvps.org/cvs/viewcvs.cgi/oh-host/ohd/README?rev=1.1&content-type=text/vnd.viewcvs-markup > > Thanks for your help! > > Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind mounts within a vserver?
On Fri, 17 Sep 2004, Herbert Poetzl wrote: On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy wrote: Is it possible to somehow use mount --bind from within a vserver? (vs1.28). not in a secure way with the 2.4 stable branch, but it is with recent 2.6 (vs1.9.x) devel branch ... Thanks of course, after adding enough CAPs, everything is possible ... We do something like this to allow ping and traceroute - there is an outside process that reenters the vserver to execute a particular command with an elevated capability. At first look it seems that mount --bind obeys chroot and it should be safe for us to allow it as well, or is there some apparent security problem with this? There is more details on the aforementioned kludge here for those interested: http://www.openvps.org/cvs/viewcvs.cgi/oh-host/ohd/README?rev=1.1&content-type=text/vnd.viewcvs-markup Thanks for your help! Grisha ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
Re: [Vserver] bind mounts within a vserver?
On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy wrote: > > Is it possible to somehow use mount --bind from within a vserver? > (vs1.28). not in a secure way with the 2.4 stable branch, but it is with recent 2.6 (vs1.9.x) devel branch ... of course, after adding enough CAPs, everything is possible ... HTH, Herbert > > Grisha > ___ > Vserver mailing list > [EMAIL PROTECTED] > http://list.linux-vserver.org/mailman/listinfo/vserver ___ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver