On Sat, Mar 17, 2007 at 02:37:39PM +0000, Daniel W. Crompton wrote: > On 3/17/07, Daniel Hokka Zakrisson <[EMAIL PROTECTED]> wrote: > >>>You absolutely never ever want to do that, if you care the least about > >>>the > >>>guest being secure... /dev/mem would give it complete access to the > >>>contents of your RAM. > >>Seriously if you care about your guest being secure you make sure that > >>the host doesn't have physical network access. If you want to be able > >>to run certain programs in a guest you sometimes need rights which are > >>available to only the host. That's the whole point of caps. > >Which should not be taken as lightly as "you just need to create XYZ". > >It's something that essentially voids the entire virtualization/isolation > >that Linux-VServer provides... > > You are right that I was a little flippant in my remark that one > should just create /dev/mem, and should have mentioned the security > implications. My remark did contain reservation you didn't pick-up on. > "You might just need to create XYZ" carries a very different message > than "you just need to create XYZ." In this case "might" means that it > is possible that you would need to do XYZ, I realize that this > reservation could be missed in a cursory reading. > > However that doesn't however negate the fact that to run OCS Agent as > is in a guest you might just need to create /dev/mem.
you might want to check with the source (of OCS Agent) what the application actually does with /dev/mem best, Herbert > regards, > > D. > > > blaze your trail > > -- > redhat > _______________________________________________ > Vserver mailing list > [email protected] > http://list.linux-vserver.org/mailman/listinfo/vserver _______________________________________________ Vserver mailing list [email protected] http://list.linux-vserver.org/mailman/listinfo/vserver
