From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 08 Jan 2004 - 23:37:53 GMT
On Thu, Jan 08, 2004 at 06:24:49PM -0500, Gregory (Grisha) Trubetskoy wrote:
>
>
> On Thu, 8 Jan 2004, Herbert Poetzl wrote:
>
> > recently (end of december last year) somebody posted
> > a mystic message to one of the german webhosting lists
> > stating, that vserver is insecure, and that he would
> > suggest not to use it (no details where given) ...
> >
> > it 'seems' that the poster was worried about the
> > ability to sniff network packets from other vservers
> > on the same host, when inside a vserver.
>
> Could he have been referring to CAP_NET_RAW? I saw a few docs suggesting
probably ...
> that it needs to be enabled in order for ping to work. IMHO that's not
> very good advice, since it allows a vserver user to send all kinds of crap
> from within vserver to the network. An evil creative mind could come up
> with some way to jeopardize security/stability with raw net access.
well, nobody concerned with security, would enable
something named 'CAP_NET_RAW' without making sure
that this doesn't weaken the security, right?
> The best way to deal with ping (and traceroute) is probably to replace
> those commands with clients to some kind of a pingd/tracerouted daemon
> running on the main server that would perform the ping and return the
> output.
some tools (traceroute or tracepath) make use of udp
instead of icmp, which is no big deal in a vserver,
only ping 'requires' the insecure icmp/raw access ...
HTH,
Herbert
> Grisha
> _______________________________________________
> Vserver mailing list
> Vserver_at_list.linux-vserver.org
> http://list.linux-vserver.org/mailman/listinfo/vserver
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver