About this list Date view Thread view Subject view Author view Attachment view

From: Marc E. Fiuczynski (mef_at_CS.Princeton.EDU)
Date: Fri 17 Sep 2004 - 10:58:04 BST


Hi Sandino,

Looks like I misunderstood and probably still am misunderstanding things. In
what way does reiser help with iptables rules? Seemed to me that it might be
better for ACL on files than grsec, right? By VPS admin do you mean 'root'
inside a single VPS or something else?

Pardon for being so dense.

Cheers,
Marc

-----Original Message-----
From: vserver-bounces_at_list.linux-vserver.org
[mailto:vserver-bounces_at_list.linux-vserver.org]On Behalf Of Sandino
Araico Sánchez
Sent: Friday, September 17, 2004 5:20 AM
To: vserver_at_list.linux-vserver.org
Subject: Re: [Vserver] Reiser4 views/process oriented security proposal

Marc E. Fiuczynski wrote:

>Hi Sandino,
>
>In what compelling VPS scenarios is the VPS administrator != host system
>administrator?
>
>
In commercial VPS hosting the host system administrator is the hosring
provider while the VPS administrator is the client.

The client needs to issue a ticket each time he needs the hosting
provider to setup a new iptables rule or a new grsec ACL.

>Marc
>
>-----Original Message-----
>From: vserver-bounces_at_list.linux-vserver.org
>[mailto:vserver-bounces_at_list.linux-vserver.org]On Behalf Of Sandino
>Araico Sánchez
>Sent: Wednesday, September 15, 2004 10:36 PM
>To: vserver_at_list.linux-vserver.org
>Subject: Re: [Vserver] Reiser4 views/process oriented security proposal
>
>
>Christian Mayrhuber wrote:
>
>
>
>>Could become interesting:
>> http://www.namesys.com/blackbox_security.html
>>
>>
>>
>>
>The process-oriented ACL seems functionality equivalent to grsec
>process-based ACLs.
>One disadvantage of grsec + vserver is that ACLs are applied system-wide
>and must be administered on the mother server. The same applies to
>iptables rules.
>The advantage of Reiser's views model is that since they are defined on
>the file attributes they can be defined inside the scope of the children
>vservers so each vserver admin will be able to define his own ACLs just
>by defining ACL attributes on every file to be execcuted.
>The VPS administrators using Reiser 4 will be able to define
>process-oriented ACLs as they wish whenever they wish while VPS
>administrators using grsec ACLs must rely on their host system
>administrator to apply the rules as they better understand.
>
>
>
>>What do you think, maybe views instead of
>>chroot() + mount --bind?
>>
>>
>>
>>
>>
>
>_______________________________________________
>Vserver mailing list
>Vserver_at_list.linux-vserver.org
>http://list.linux-vserver.org/mailman/listinfo/vserver
>
>_______________________________________________
>Vserver mailing list
>Vserver_at_list.linux-vserver.org
>http://list.linux-vserver.org/mailman/listinfo/vserver
>
>

_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver

_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver


About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Fri 17 Sep 2004 - 10:58:19 BST by hypermail 2.1.3