Marc E. Fiuczynski wrote:
Hi Sandino,
Looks like I misunderstood and probably still am misunderstanding things. In
what way does reiser help with iptables rules?
It doesn't. It's just an example of things that can't be done inside a
vserver and can/should only be done in the host system iptables, routes,
tunnels, mount/umount filesystems, grsec ACL rules.....
Seemed to me that it might be
better for ACL on files than grsec, right?
Not exactly better. I'd say more convenient.
By VPS admin do you mean 'root'
inside a single VPS or something else?
yes
Pardon for being so dense.
Cheers,
Marc
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Sandino
Araico Sánchez
Sent: Friday, September 17, 2004 5:20 AM
To: [EMAIL PROTECTED]
Subject: Re: [Vserver] Reiser4 views/process oriented security proposal
Marc E. Fiuczynski wrote:
Hi Sandino,
In what compelling VPS scenarios is the VPS administrator != host system
administrator?
In commercial VPS hosting the host system administrator is the hosring
provider while the VPS administrator is the client.
The client needs to issue a ticket each time he needs the hosting
provider to setup a new iptables rule or a new grsec ACL.
Marc
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] Behalf Of Sandino
Araico Sánchez
Sent: Wednesday, September 15, 2004 10:36 PM
To: [EMAIL PROTECTED]
Subject: Re: [Vserver] Reiser4 views/process oriented security proposal
Christian Mayrhuber wrote:
Could become interesting:
http://www.namesys.com/blackbox_security.html
The process-oriented ACL seems functionality equivalent to grsec
process-based ACLs.
One disadvantage of grsec + vserver is that ACLs are applied system-wide
and must be administered on the mother server. The same applies to
iptables rules.
The advantage of Reiser's views model is that since they are defined on
the file attributes they can be defined inside the scope of the children
vservers so each vserver admin will be able to define his own ACLs just
by defining ACL attributes on every file to be execcuted.
The VPS administrators using Reiser 4 will be able to define
process-oriented ACLs as they wish whenever they wish while VPS
administrators using grsec ACLs must rely on their host system
administrator to apply the rules as they better understand.
What do you think, maybe views instead of
chroot() + mount --bind?
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
[EMAIL PROTECTED]
http://list.linux-vserver.org/mailman/listinfo/vserver
