From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Mon 25 Nov 2002 - 12:42:58 GMT
On Mon, Nov 25, 2002 at 12:19:08PM +0000, Sam Vilain wrote:
> On Saturday 23 November 2002 14:32, Herbert Poetzl wrote:
> > CAP_SYS_ADMIN is currently sufficient for complete
> > quota control, CAP_QUOTACTL enables root in a virtual
> > server to maintain the user quotas.
> How did you get around allowing the virtual server that is running the
> commands access to the disk device that the partition resides on?
> It's undesirable to allow root on a vserver to be able to open a block device
> directly (amplus nucleus violatus), which must be provided for some of the
> ioctl() commands required by quota commands.
quotactl() commands, not ioctls, and I use the
vroot proxy device described on my pages ...
> The only sensible work-around involves userland passing of quota admin
> operations from one context to another, eg via an ssh forced command.