From: Sam Vilain (sam_at_vilain.net)
Date: Fri 12 Jul 2002 - 15:25:41 BST
Jacques Gelinas <jack_at_solucorp.qc.ca> wrote:
> > Quota works fine if each vserver is mounted on a different LVM share, or
> > loopback filesystem.
> Yes but there is another issue. You may want to limit quota per user in
> a vserver and allow the vserver administrator to handle it. To handle quota
> he needs access to the block device and this opens a security issue.
Is it much of a security issue to give them a /dev entry for their own LVM partition?
I guess the answer is yes, a malicious user could hang the kernel by frigging with the block device themselves.
But if it was there, but they just couldn't open it, they could still call quotactl() on it and quotas would still work. Is this your intention for the new unused CAP_OPENDEV capability?
-- Sam Vilain, sam_at_vilain.net WWW: http://sam.vilain.net/ 7D74 2A09 B2D3 C30F F78E GPG: http://sam.vilain.net/sam.asc 278A A425 30A9 05B5 2F13
Real Computer Scientists Don't Write Code