On Thursday 16 October 2003 03:45, Herbert Poetzl wrote: > On Wed, Oct 15, 2003 at 09:28:05PM +0200, Dariush Pietrzak wrote: > >> For gawd's sake. Do not do that. Giving a vserver the > >> permission to take down the system, just so that you can > >> run a badly-compiled copy of Bind9, is > > > > In other words, nothing've changed, if you want to run > > bind9 your best bet is to run it chrooted on master server. > > (I prefer to run it chrooted as 'bind' user then to run > > it vserver-chrooted as 'root' ). > > hmm, maybe all of you should have a look at the > source, to find that the following is true > (at least for 9.2.2) > > named does (on linux only) change the capabilities > in such way, that a non root process can still bind > to reserved ports (< 1024), by calling capset, which > requires that ... > > > /* Override resource limits. Set resource limits. */ for 'named' need only this. we can allow use only it but this require stop using task->rlim for vserver limits. Posible move to s_info structure.
-- With best regards, Alex _______________________________________________ Vserver mailing list [EMAIL PROTECTED] http://www.solucorp.qc.ca/mailman/listinfo/vserver
