From: Nuno Silva (nuno.silva_at_vgertech.com)
Date: Wed 22 Jan 2003 - 16:15:13 GMT

• Previous message: Sam Vilain: "Re: [vserver] xdmcp"
• In reply to: rico_at_rhauke.de: "[vserver] access block devices"
• Next in thread: Thomas Weber: "Re: [vserver] access block devices"

Hi!

rico_at_rhauke.de wrote:
> Hello,
>
> i wonder why root inside my vservers can still access block devices?
>
> i built kernel 2.4.20ctx-16 and vserver-0.22 on debian testing and set up
> a virtual server context where sshd runs inside. this works fine.
> unfortunately after connecting to my vserver from another machine, root
> inside my vserver is still able to access block devices, although it only
> has the limited (--secure) set of capabilities described in the reducecap
> manpage. so root can do things like 'cat /dev/hda1' or 'cat /dev/random >
> /dev/hda1'. since i read that root inside a vserver "can't take over the
> machine" or even "can't access block devices" (vserver documentation 2.2),
> i wonder why root is able on my machine.
>

This is because you didn't follow vserver's "conventions". Vserver's
/dev must have a minimal number of entries. I have these:
cheetah:/dev# ls -la
total 8
drwxr-xr-x 3 root root 4096 Jan 8 05:48 .
drwxr-xr-x 20 root root 4096 Nov 20 09:10 ..
-rw------- 1 root root 0 Mar 21 2002 .devfsd
lrwxrwxrwx 1 root root 13 Aug 17 02:06 MAKEDEV ->
/sbin/MAKEDEV
lrwxrwxrwx 1 root root 11 Nov 20 04:07 core -> /proc/kcore
crw--w--w- 1 root root 1, 7 Aug 17 02:06 full
prw------- 1 root root 0 Aug 17 02:06 initctl
srw-rw-rw- 1 root root 0 Jan 8 05:48 log
crw-rw-rw- 1 root root 1, 3 Aug 17 02:06 null
crw-rw-rw- 1 root root 5, 2 Aug 17 02:06 ptmx
drwxr-xr-x 2 root root 0 Jan 8 05:48 pts
lrwxrwxrwx 1 root root 4 Nov 20 04:07 ram -> ram1
crw-r--r-- 1 root root 1, 8 Aug 17 02:06 random
srw------- 1 root root 0 Aug 17 02:06 reboot
crw-rw-rw- 1 root root 5, 0 Aug 17 02:06 tty
crw-r--r-- 1 root root 1, 9 Nov 21 14:06 urandom
prw-r----- 1 root adm 0 Jan 22 06:30 xconsole
crw-rw-rw- 1 root root 1, 5 Aug 17 02:06 zero
cheetah:/dev#

Some of them are created when the vserver starts (initctl, for instance).

Check the vserver script and see what /dev entries the script wnats to
create ;)

Regards,
Nuno Silva

> okay i thought i did something wrong and installed the precompiled kernel
> and binaries from solucorp and set up another vserver. i didn't enter any
> capabilities at the S_CAPS parameter, but after entering the vserver
> context root can still access block devices.
>
> can anyone tell me what i did wrong or what else i can try?
>
> thanks a lot,
> Rico Hauke
>
>
>
>

• Previous message: Sam Vilain: "Re: [vserver] xdmcp"
• In reply to: rico_at_rhauke.de: "[vserver] access block devices"
• Next in thread: Thomas Weber: "Re: [vserver] access block devices"