From: Thomas Weber (x_at_4t2.com)
Date: Wed 22 Jan 2003 - 16:14:14 GMT
On Wed, Jan 22, 2003 at 04:52:20PM +0100, rico_at_rhauke.de wrote:
> i wonder why root inside my vservers can still access block devices?
> i built kernel 2.4.20ctx-16 and vserver-0.22 on debian testing and set up
> a virtual server context where sshd runs inside. this works fine.
> unfortunately after connecting to my vserver from another machine, root
> inside my vserver is still able to access block devices, although it only
> has the limited (--secure) set of capabilities described in the reducecap
> manpage. so root can do things like 'cat /dev/hda1' or 'cat /dev/random >
> /dev/hda1'. since i read that root inside a vserver "can't take over the
> machine" or even "can't access block devices" (vserver documentation 2.2),
> i wonder why root is able on my machine.
just remove the block devices in /dev within the vservers - not needed.
and unless you fiddle with S_CAPS in the conf, root shouldn't be able to