Date: Wed 22 Jan 2003 - 15:52:20 GMT
i wonder why root inside my vservers can still access block devices?
i built kernel 2.4.20ctx-16 and vserver-0.22 on debian testing and set up
a virtual server context where sshd runs inside. this works fine.
unfortunately after connecting to my vserver from another machine, root
inside my vserver is still able to access block devices, although it only
has the limited (--secure) set of capabilities described in the reducecap
manpage. so root can do things like 'cat /dev/hda1' or 'cat /dev/random >
/dev/hda1'. since i read that root inside a vserver "can't take over the
machine" or even "can't access block devices" (vserver documentation 2.2),
i wonder why root is able on my machine.
okay i thought i did something wrong and installed the precompiled kernel
and binaries from solucorp and set up another vserver. i didn't enter any
capabilities at the S_CAPS parameter, but after entering the vserver
context root can still access block devices.
can anyone tell me what i did wrong or what else i can try?
thanks a lot,