About this list Date view Thread view Subject view Author view Attachment view

From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Mon 16 Jun 2003 - 17:32:03 BST

On Mon, Jun 16, 2003 at 06:06:05PM +0200, Martin List-Petersen wrote:
> Citat Mitchell Smith <mjs_at_blitztechnology.net>:
> > Greetings list,
> >
> > I am wanting to create a management console for my virtual
> > host users so that they may

I assume the physical machine is referred to here ..

> > . Restart their virtual server if necessary
> > . Log in on the console in the event they get over enthusiastic
> > with their firewall rules or something and lock themselves out.

I further assume, the have some unix user account
on the physical context ...

> > My question is to the security of the vserver binary.
> >
> > obviously I would run a restricted shell like osh or something
> > similar, but can anyone think of a way that I can.

I guess you mean in this unix account?

> > a. allow them to "vserver stop|start" with out being root
> > b. "vserver enter'" only on their own vserver and no one elses.

what about sudo? that can be configed for
all your purposes, without giving anything
unwanted to anybody ...

or a nifty sshd setup, which executes the
required commands ...

> > Obviously something such as this would be easier using something
> > like user mode linux, but we have built our whole system on
> > vserver, so it's a bit late to change.

it is never too late to change ...

> vserver start | stop i can't see the big problem with.
> I would realise this via a cron job, that checks a file
> or database or something else, then stops and
> starts the vserver and writes a status back.

if you suggesting to implement vreboot, save your
time, it has been already done (rebootmgr) ..

> vserver enter i would find slightly more complicated to
> acomplish without compromising your host system.

hmm? you are referring to the shell-scriptness
of the vserver script?

if you really need security, you could always
code your syscalls yourself ...


> Regards,
> Martin List-Petersen
> martin at list-petersen dot dk
> --
> Don't go surfing in South Dakota for a while.

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Mon 16 Jun 2003 - 17:53:10 BST by hypermail 2.1.3