From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 08 Jan 2004 - 23:37:53 GMT
On Thu, Jan 08, 2004 at 06:24:49PM -0500, Gregory (Grisha) Trubetskoy wrote:
> On Thu, 8 Jan 2004, Herbert Poetzl wrote:
> > recently (end of december last year) somebody posted
> > a mystic message to one of the german webhosting lists
> > stating, that vserver is insecure, and that he would
> > suggest not to use it (no details where given) ...
> > it 'seems' that the poster was worried about the
> > ability to sniff network packets from other vservers
> > on the same host, when inside a vserver.
> Could he have been referring to CAP_NET_RAW? I saw a few docs suggesting
> that it needs to be enabled in order for ping to work. IMHO that's not
> very good advice, since it allows a vserver user to send all kinds of crap
> from within vserver to the network. An evil creative mind could come up
> with some way to jeopardize security/stability with raw net access.
well, nobody concerned with security, would enable
something named 'CAP_NET_RAW' without making sure
that this doesn't weaken the security, right?
> The best way to deal with ping (and traceroute) is probably to replace
> those commands with clients to some kind of a pingd/tracerouted daemon
> running on the main server that would perform the ping and return the
some tools (traceroute or tracepath) make use of udp
instead of icmp, which is no big deal in a vserver,
only ping 'requires' the insecure icmp/raw access ...
> Vserver mailing list
Vserver mailing list