Hi Sandino, Looks like I misunderstood and probably still am misunderstanding things. In what way does reiser help with iptables rules? Seemed to me that it might be better for ACL on files than grsec, right? By VPS admin do you mean 'root' inside a single VPS or something else?
Pardon for being so dense. Cheers, Marc -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Sandino Araico Sánchez Sent: Friday, September 17, 2004 5:20 AM To: [EMAIL PROTECTED] Subject: Re: [Vserver] Reiser4 views/process oriented security proposal Marc E. Fiuczynski wrote: >Hi Sandino, > >In what compelling VPS scenarios is the VPS administrator != host system >administrator? > > In commercial VPS hosting the host system administrator is the hosring provider while the VPS administrator is the client. The client needs to issue a ticket each time he needs the hosting provider to setup a new iptables rule or a new grsec ACL. >Marc > >-----Original Message----- >From: [EMAIL PROTECTED] >[mailto:[EMAIL PROTECTED] Behalf Of Sandino >Araico Sánchez >Sent: Wednesday, September 15, 2004 10:36 PM >To: [EMAIL PROTECTED] >Subject: Re: [Vserver] Reiser4 views/process oriented security proposal > > >Christian Mayrhuber wrote: > > > >>Could become interesting: >> http://www.namesys.com/blackbox_security.html >> >> >> >> >The process-oriented ACL seems functionality equivalent to grsec >process-based ACLs. >One disadvantage of grsec + vserver is that ACLs are applied system-wide >and must be administered on the mother server. The same applies to >iptables rules. >The advantage of Reiser's views model is that since they are defined on >the file attributes they can be defined inside the scope of the children >vservers so each vserver admin will be able to define his own ACLs just >by defining ACL attributes on every file to be execcuted. >The VPS administrators using Reiser 4 will be able to define >process-oriented ACLs as they wish whenever they wish while VPS >administrators using grsec ACLs must rely on their host system >administrator to apply the rules as they better understand. > > > >>What do you think, maybe views instead of >>chroot() + mount --bind? >> >> >> >> >> > >_______________________________________________ >Vserver mailing list >[EMAIL PROTECTED] >http://list.linux-vserver.org/mailman/listinfo/vserver > >_______________________________________________ >Vserver mailing list >[EMAIL PROTECTED] >http://list.linux-vserver.org/mailman/listinfo/vserver > > _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://list.linux-vserver.org/mailman/listinfo/vserver
