[EMAIL PROTECTED] (Herbert Poetzl) writes:

> did a quick, first impression classification on those
> entries, so it is a start, but nothing final, and YMMV
>
> /proc/net/            (C)

required at least for firewall- or VPN-setup vservers


> -/proc/net/rpc/               (D)

proof-of-concept code ;) there is probably no need to remove this entry,
but this directory seems to be good for testing the '-' prefix without
destroying too much functionality...


> -/proc/sys/debug/     (D)
> -/proc/sys/dev/               (D)

ditti


> /proc/kcore           (D)
> /proc/kmsg            (C)
> /proc/ksyms           (C)

protected by CAP_SYS_ADMIN


> (B) ... not required, leaks host info

I do not think that this is a real problem; most parameters can be
determined in other ways also. So hiding the /proc entries would not
increase security.


> (C) ... critical, might pose a security risk
> (D) ... dangerous, might be used for DoS

Capability system should and must give enough protection; there are a few
entries (sysrq-triggers and scsi) which need the extra vproc wrapper. But
this schould be the exception not the rule...




Enrico
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver

Reply via email to