On 3/17/07, Daniel Hokka Zakrisson <[EMAIL PROTECTED]> wrote:
You absolutely never ever want to do that, if you care the least about the
guest being secure... /dev/mem would give it complete access to the
contents of your RAM.
Seriously if you care about your guest being secure you make sure that
the host doesn't have physical network access. If you want to be able
to run certain programs in a guest you sometimes need rights which are
available to only the host. That's the whole point of caps.
Which should not be taken as lightly as "you just need to create XYZ".
It's something that essentially voids the entire virtualization/isolation
that Linux-VServer provides...
You are right that I was a little flippant in my remark that one
should just create /dev/mem, and should have mentioned the security
implications. My remark did contain reservation you didn't pick-up on.
"You might just need to create XYZ" carries a very different message
than "you just need to create XYZ." In this case "might" means that it
is possible that you would need to do XYZ, I realize that this
reservation could be missed in a cursory reading.
However that doesn't however negate the fact that to run OCS Agent as
is in a guest you might just need to create /dev/mem.
regards,
D.
blaze your trail
--
redhat
_______________________________________________
Vserver mailing list
[email protected]
http://list.linux-vserver.org/mailman/listinfo/vserver
