About this list Date view Thread view Subject view Author view Attachment view

From: Martin List-Petersen (martin_at_list-petersen.dk)
Date: Wed 16 Jul 2003 - 15:04:25 BST

Citat Sam Vilain <sam_at_vilain.net>:

> On Wed, 16 Jul 2003 07:49, Martin List-Petersen wrote:
> > Before integrating the vserver patches into the vanilla kernel tree,
> > probably the ipv6 security issue (all interfaces shown, one vserver can
> > take over a port on all vservers/main server) should be fixed.
> >
> > This is only the issue, when ipv6 is enabled.
> Yes, while we're at is we should also support appletalk, arcnet, ATM,
> X.25, Econet/AUM, the HAM Radio system, IR-DA, and Token Ring.
> Seriously though, you do have a point. We should at least not support
> it gracefully. If nothing else, because IPv6 is 1337 right now among
> geeks and if we don't support it well, we might be seen as 14m3.

Actually the IPv6 support would be more than nice, but that's not the issue.

The issue is, that if you enable IPv6 (either compiled in or loaded by module)
daemons like Exim, Courier-IMAP, Courier-POP are able to bind that port on all
ip's (IPv4 and IPv6) in and outside the vserver, like they were running on the
host system.

Second issue is, that as soon as IPv6 is enabled you can see all interfaces
(including all vserver interfaces) inside every vserver.

I would call that an major security issue.

Martin List-Petersen
martin at list-petersen dot dk

Celebrate Hannibal Day this year.  Take an elephant to lunch.

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Wed 16 Jul 2003 - 15:37:20 BST by hypermail 2.1.3