From: Alex Lyashkov (shadow_at_psoft.net)
Date: Thu 16 Oct 2003 - 10:21:00 BST
On Thursday 16 October 2003 03:45, Herbert Poetzl wrote:
> On Wed, Oct 15, 2003 at 09:28:05PM +0200, Dariush Pietrzak wrote:
> >> For gawd's sake. Do not do that. Giving a vserver the
> >> permission to take down the system, just so that you can
> >> run a badly-compiled copy of Bind9, is
> >
> > In other words, nothing've changed, if you want to run
> > bind9 your best bet is to run it chrooted on master server.
> > (I prefer to run it chrooted as 'bind' user then to run
> > it vserver-chrooted as 'root' ).
>
> hmm, maybe all of you should have a look at the
> source, to find that the following is true
> (at least for 9.2.2)
>
> named does (on linux only) change the capabilities
> in such way, that a non root process can still bind
> to reserved ports (< 1024), by calling capset, which
> requires that ...
>
>
> /* Override resource limits. Set resource limits. */
for 'named' need only this. we can allow use only it but this require stop
using task->rlim for vserver limits. Posible move to s_info structure.
-- With best regards, Alex _______________________________________________ Vserver mailing list Vserver_at_www.solucorp.qc.ca http://www.solucorp.qc.ca/mailman/listinfo/vserver