From: Gregory (Grisha) Trubetskoy (grisha_at_ispol.com)
Date: Thu 08 Jan 2004 - 23:24:49 GMT
On Thu, 8 Jan 2004, Herbert Poetzl wrote:
> recently (end of december last year) somebody posted
> a mystic message to one of the german webhosting lists
> stating, that vserver is insecure, and that he would
> suggest not to use it (no details where given) ...
> it 'seems' that the poster was worried about the
> ability to sniff network packets from other vservers
> on the same host, when inside a vserver.
Could he have been referring to CAP_NET_RAW? I saw a few docs suggesting
that it needs to be enabled in order for ping to work. IMHO that's not
very good advice, since it allows a vserver user to send all kinds of crap
from within vserver to the network. An evil creative mind could come up
with some way to jeopardize security/stability with raw net access.
The best way to deal with ping (and traceroute) is probably to replace
those commands with clients to some kind of a pingd/tracerouted daemon
running on the main server that would perform the ping and return the
Vserver mailing list