From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 08 Jan 2004 - 19:12:45 GMT

• Previous message: Herbert Poetzl: "Re: [Vserver] 1.3.1: save_s_context: fork: Resource temporarily unavailable [was: Re: 1.3.1 with quota/limit patches]"
• Next in thread: Frank Matthieß: "Kernel capabilties (Was: [Vserver] Vserver and Security)"
• Reply: Frank Matthieß: "Kernel capabilties (Was: [Vserver] Vserver and Security)"
• Reply: Gregory (Grisha) Trubetskoy: "Re: [Vserver] Vserver and Security"

Hi Community!

recently (end of december last year) somebody posted
a mystic message to one of the german webhosting lists
stating, that vserver is insecure, and that he would
suggest not to use it (no details where given) ...

it 'seems' that the poster was worried about the
ability to sniff network packets from other vservers
on the same host, when inside a vserver.

I would like to take this opportunity, to name some
'real' security issues, and what you can/should do to
avoid them ...

first linux-vserver is based on the linux capability
system and the protection this system adds to a
unpatches linux kernel, as well as to a linux-vserver
kernel. those capabilities allow the administrator of
a linux system (or vserver host) to limit the actions
even root can take. vserver tools 'automatically'
reduce the set of capabilities to a sane number.

CAP_CHOWN, CAP_DAC_OVERRIDE, CAP_DAC_READ_SEARCH,
CAP_FOWNER, CAP_FSETID, CAP_KILL, CAP_SETGID,
CAP_SETUID, CAP_NET_BIND_SERVICE, CAP_SYS_CHROOT,
CAP_SYS_PTRACE, CAP_SYS_TTY_CONFIG, CAP_LEASE

this does not contain the folowing capabilities for
security reasons (giving any of them lowers the
security of your vserver host, and makes the system
vulnerable)

CAP_SETPCAP
        transfering permitted capabilities

CAP_LINUX_IMMUTABLE
        modifying immutable and iunlink flags

CAP_NET_BROADCAST
        allow network broadcasting/multicasting

CAP_NET_ADMIN
        network interface configuration
        setting promiscuous mode (sniffing)
        multicasting and routing tables

CAP_NET_RAW
        use of raw and packet sockets

CAP_IPC_LOCK, CAP_IPC_OWNER
        ipc owner check and mlock

CAP_SYS_MODULE
        insert and removal of kernel modules

CAP_SYS_RAWIO
        ioperm/iopl access and usb messages

CAP_SYS_PACCT
        process accounting

CAP_SYS_ADMIN
        this list would be too long, it basically
        alows to do everything else, not mentioned
        in another capability.

CAP_SYS_BOOT
        allow reboot/halt

CAP_SYS_NICE
        allow raising priorities, and scheduler stuff

CAP_SYS_RESOURCE
        override resource limits
        override quota and reserved space
        modify data journaling, colsoles, keymap

CAP_SYS_TIME
        manipulation of the system clock

CAP_MKNOD
        creation of kernel nodes

best,
Herbert

_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

• Previous message: Herbert Poetzl: "Re: [Vserver] 1.3.1: save_s_context: fork: Resource temporarily unavailable [was: Re: 1.3.1 with quota/limit patches]"
• Next in thread: Frank Matthieß: "Kernel capabilties (Was: [Vserver] Vserver and Security)"
• Reply: Frank Matthieß: "Kernel capabilties (Was: [Vserver] Vserver and Security)"
• Reply: Gregory (Grisha) Trubetskoy: "Re: [Vserver] Vserver and Security"