From: Frank Matthieß (frankm_at_lug-owl.de)
Date: Fri 09 Jan 2004 - 12:18:33 GMT
Gregory (Grisha) Trubetskoy [2004-01-09 00:24 CET]:
> On Thu, 8 Jan 2004, Herbert Poetzl wrote:
> > recently (end of december last year) somebody posted
> > a mystic message to one of the german webhosting lists
> > stating, that vserver is insecure, and that he would
> > suggest not to use it (no details where given) ...
> > it 'seems' that the poster was worried about the
> > ability to sniff network packets from other vservers
> > on the same host, when inside a vserver.
> Could he have been referring to CAP_NET_RAW? I saw a few docs suggesting
> that it needs to be enabled in order for ping to work. IMHO that's not
> very good advice, since it allows a vserver user to send all kinds of crap
> from within vserver to the network. An evil creative mind could come up
> with some way to jeopardize security/stability with raw net access.
It is possible to control this via hostsystem firewall. This seems to be
not breakable from vserver. Just use the -s or -d parameter for vserver
traffic on iptables.
-- Frank Matthieß
"My girlfriend asked me which one I like better - I hope the answer won't upset her." -- Sig von Dustin Sallings