From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Thu 24 Oct 2002 - 00:05:49 BST
On Wed, 23 Oct 2002, Burak wrote:
> What is the risks to set S_CAPS="CAP_SYS_RESOURCE"
> because in vservers users can not use bind() and it is not good somepoint.
I'm not actually sure about this one anymore--somebody would be better
giving you an answer!
Normally processes are only allowed to lower their ulimit resources (core
size, file handles...), but this allows processes to *increase* them and
generally breaks the Unix philosophy of giving up permissions irreversibly.
The interesting point is that I've never run into this problem!
I run Bind on several of my vservers--without the extra CAP_SYS_RESOURCE
capabilities--and haven't experienced any problems. Having said that, these
will all be the standard Debian shipments and I haven't looked into the
issue more deeply, as to versions, or whether there are patches involved.
-Paul
PS. bind() is system call that allows a program to select an IP address.
Bind is a [the] DNS server (a ``mere program''!).
-- Nottingham, GB