From: Paul Sladen (vserver_at_paul.sladen.org)
Date: Sat 04 Jan 2003 - 01:24:29 GMT

• Next message: ragnar_at_this.is: "[vserver] Vserver on Debian (long)"
• Previous message: Michael Hilscher: "Re: [vserver] caps und ULIMIT"
• In reply to: Michael Hilscher: "Re: [vserver] caps und ULIMIT"

On Sat, 4 Jan 2003, Michael Hilscher wrote:
> On Fri, Jan 03, 2003 at 04:59:01PM +0000, Paul Sladen wrote:
> > `CAP_SYS_RESOURCE':
> > Override resource limits. Set resource limits.
> > Which of the above do you think you need?
> Bind: http://www.solucorp.qc.ca/howto.hc?projet=vserver&id=72

Read: (including my roath for ISC Bind9 coders)

  http://www.paul.sladen.org/vserver/faq/#bind9

Synopsis: Compile with `--disable-linux-caps' and don't use `-u' with
threads enabled.

> i'm also not sure about the Risks of: CAP_NET_RAW capability
> Why is that cap deactivated in default?

So people have the ability to send ICMP Ping packets.

> * Allow use of RAW sockets
> * Allow use of PACKET sockets

At the moment the paranoid risk is sniffing plaintext from other vserver
throught the loopback. People could potentionally use the machine as a DoS
source by sending lots of spoofed packets.

The former they could do on unswitched ethernet; the latter they could do
on a Dedicated server anyway.

        -Paul

-- 
Nottingham, GB

• Next message: ragnar_at_this.is: "[vserver] Vserver on Debian (long)"
• Previous message: Michael Hilscher: "Re: [vserver] caps und ULIMIT"
• In reply to: Michael Hilscher: "Re: [vserver] caps und ULIMIT"