About this list Date view Thread view Subject view Author view Attachment view

From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Wed 09 Jul 2003 - 18:45:17 BST


Herbert P÷tzl <herbert_at_13thfloor.at> writes:

>> > [... vservers & iptables ...]
>>
>> Just add
>>
>> | S_CAPS="CAP_NET_ADMIN CAP_NET_RAW"
>>
>> to the vserver-configuration.
>> ...
>
> and remember, from this moment on, you will be able to
> modify/overwrite any interface on the physical host from
> within the vserver ... (including taking the interface
> down, etc)

Yes, but this is still better than controlling the iptables from
the physical host: It is true, that an attacker can do bad things
with your network when scripts in the iptables-vserver are having
a hole. But he could do yet worse things, when these scripts are
running on the host machine.

(I do not speak about giving every host these $S_CAPS, but
about a dedicated iptables-vserver (there exists exactly one
such a vserver per host). Other vservers on the host (e.g. a
dialin-server) are communicating through a simple protocol with
the iptables-vservers to set dynamic rules.)

Enrico

-- 
q: If you were young again, would you start writing TeX again or would
   you use Microsoft Word, or another word processor?
a: I hope to die before I have to use Microsoft Word.
  -- Harald Koenig <koenig_at_tat.physik.uni-tuebingen.de> asking D.E.Knuth


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 09 Jul 2003 - 19:16:51 BST by hypermail 2.1.3