From: klavs klavsen (kl_at_vsen.dk)
Date: Fri 15 Feb 2002 - 14:05:45 GMT
On Fri, 2002-02-15 at 14:45, Vlad wrote:
> Oohhh... I get it now.. Somehow in your response the main part of the
> problem got lost. I just went back to your original message:
> And yeah, thats correct. You can use chroot within the virtual server, and
> you can do it securely. There was a bug where you could use chroot
> within vserver to escape out of the vserver and back into the root server.
> That has been fixed for a while. ;)
but chroot is still buggy (even if it's running under a vserver) so that
one could break out of a chroot jail and get to other services on the
> To save you some time, if you do go with bind inside virtual server make
> sure you compile it without linux caps; they will fail inside vserver.
ok. I'm kinda sad, that this means one can't use standard rpm's.. cause
I'm gonna setup these systems in small shops, where they don't have the
knowledge/expertise to compile themselves, and therefore standard
distribution rpm compatability would be great to have..
I guess, I'm gonna have to think of something.. :-(
Then I will have install the services on the costumer machines, without
vserver (unless they explicitly want it with its advantages and
this would mean that I have to copy config files over ONLY.. from the
vserver to the costumer server - whereas otherwise I would be able to
just copy the vserver directory :-(
and then I would have to maintain a secured base linux system, for the
costumer server. I'm just gonna use my vserver box's root server for
Well it seems the path is becoming more clear to me now :-)
it's difficult to make a standard installation, that doesn't remove
flexibility and ease of use and doesn't compromise security either.
P.S. I've sent this mail to the vserver-mailinglist also, so that others
might gain from our discussion :-)
-- Regards, Klavs Klavsen
-------------| This mail has been sent to you by: |------------ Klavs Klavsen - OpenSource Consultant kl_at_vsen.dk - http://www.vsen.dk
Get PGP key from www.keyserver.net - Key ID: 0x586D5BCA Fingerprint = A95E B57B 3CE0 9131 9D15 94DA E1CD 641E 586D 5BCA --------------------[ I believe that... ]----------------------- It is a myth that people resist change. People resist what other people make them do, not what they themselves choose to do... That's why companies that innovate successfully year after year seek their peopl's ideas, let them initiate new projects and encourage more experiments. -- Rosabeth Moss Kanter