From: Nuno Silva (nuno.silva_at_vgertech.com)
Date: Mon 20 Jan 2003 - 14:58:27 GMT
Luís Miguel Silva wrote:
> Since i thought *somebody could sniff the data beetween vservers* i
> choosed to bind them into the lo interface! That way they can still
> communicate with each other and be "secure" ;o) [would somebody correct me
> on this if im wrong?]
In the default vserver .conf, the vservers' root can't control the
network interfaces, so vservers' root can't enable promisc mode and
can't run a sniffer.
If the vservers' root could enable sniffing (you added CAP_NET_* to the
vservers' capabilities list, for instance) then he could do it in eth0
or lo... So, afaict, chbind'ing to eth0: or lo: it's the same in terms
of "sniffer protection".