From: Jacques Gelinas (jack_at_solucorp.qc.ca)
Date: Thu 24 Oct 2002 - 20:45:25 BST
On Wed, 23 Oct 2002 23:25:34 -0500, Burak wrote
> What is the risks to set S_CAPS="CAP_SYS_RESOURCE"
> because in vservers users can not use bind() and it is not good somepoint.
The bind daemon needs this to run. This is kind of a flaw (in bind). Without
this capability, a root process is not allowed to raise its resources (ulimit). A non
root process (by default) never has this capability.
Now bind does this
Ok, we have to make sure we have enought resource
First we request to raise our capability by setting
Then we check if we have enough resource. If not
we raise them. If ok, we continue.
Then we lower the capability.
The flaw is that bind, by default on a linux distro, already have all it needs.
So the tests should be inverted somewhat.
So for now, we have to give CAP_SYS_RESOURCE until bind is fixed.
Now, the problem is that on any linux distro, it is not possible to lower
the capability of a process before executing it. So bind author are simply
unaware of the issue. The capability system found on linux, without the
vserver patch is kind of incomplete.
If a program lower its capabilities and then execute a child, the child will
get back all the capabilities. This was done so setuid programs still work
until capabilities may be tagged to executable (a little like the setuid bits).
Unfortunatly, this is not about to happen (imho) because it is not so useful.
What people would like is the ability to say
OK apache when executed by user jack is allowed to
bind to port 80.
Currently with capabilities, it is an all or nothing.
Now the effect of giving CAP_SYS_RESOURCE to a vserver is that it is allowed
to raise some limits, which is annoying.
Time to patch bind and to inform the authors
Jacques Gelinas <jack_at_solucorp.qc.ca>
vserver: run general purpose virtual servers on one box, full speed!