On Thu, 9 Oct 2003 07:04:02 -0500, Alex Lyashkov wrote > > This is probably a minor problem, but if we want to support vservers inside > > vserver we must allow mount ? This is a problem. mount let you DOS > > a machine. Further, mount is covered by a very broad capability. > > > > Am I missing something ? > > > yes. > In private namespace created _private_ mounts tree. > i see one posible DDoS - you can be use it for kernel exhaust memory when do > many many mounts. > What DDoS you see ?
Mounting a broken file system can brind the OS down. A file system just follow pointers around and assume the fs was fsck properly. A carefully crafted fs (mount using the loop back for example) would bring the system down. --------------------------------------------------------- Jacques Gelinas <[EMAIL PROTECTED]> vserver: run general purpose virtual servers on one box, full speed! http://www.solucorp.qc.ca/miscprj/s_context.hc
