From: Sandino Araico Sánchez (sandino_at_sandino.net)
Date: Fri 17 Sep 2004 - 11:55:14 BST
Marc E. Fiuczynski wrote:
>Hi Sandino,
>
>Looks like I misunderstood and probably still am misunderstanding things. In
>what way does reiser help with iptables rules?
>
It doesn't. It's just an example of things that can't be done inside a
vserver and can/should only be done in the host system iptables, routes,
tunnels, mount/umount filesystems, grsec ACL rules.....
> Seemed to me that it might be
>better for ACL on files than grsec, right?
>
Not exactly better. I'd say more convenient.
> By VPS admin do you mean 'root'
>inside a single VPS or something else?
>
>
yes
>Pardon for being so dense.
>
>Cheers,
>Marc
>
>
>-----Original Message-----
>From: vserver-bounces_at_list.linux-vserver.org
>[mailto:vserver-bounces_at_list.linux-vserver.org]On Behalf Of Sandino
>Araico Sánchez
>Sent: Friday, September 17, 2004 5:20 AM
>To: vserver_at_list.linux-vserver.org
>Subject: Re: [Vserver] Reiser4 views/process oriented security proposal
>
>
>Marc E. Fiuczynski wrote:
>
>
>
>>Hi Sandino,
>>
>>In what compelling VPS scenarios is the VPS administrator != host system
>>administrator?
>>
>>
>>
>>
>In commercial VPS hosting the host system administrator is the hosring
>provider while the VPS administrator is the client.
>
>The client needs to issue a ticket each time he needs the hosting
>provider to setup a new iptables rule or a new grsec ACL.
>
>
>
>>Marc
>>
>>-----Original Message-----
>>From: vserver-bounces_at_list.linux-vserver.org
>>[mailto:vserver-bounces_at_list.linux-vserver.org]On Behalf Of Sandino
>>Araico Sánchez
>>Sent: Wednesday, September 15, 2004 10:36 PM
>>To: vserver_at_list.linux-vserver.org
>>Subject: Re: [Vserver] Reiser4 views/process oriented security proposal
>>
>>
>>Christian Mayrhuber wrote:
>>
>>
>>
>>
>>
>>>Could become interesting:
>>>http://www.namesys.com/blackbox_security.html
>>>
>>>
>>>
>>>
>>>
>>>
>>The process-oriented ACL seems functionality equivalent to grsec
>>process-based ACLs.
>>One disadvantage of grsec + vserver is that ACLs are applied system-wide
>>and must be administered on the mother server. The same applies to
>>iptables rules.
>>The advantage of Reiser's views model is that since they are defined on
>>the file attributes they can be defined inside the scope of the children
>>vservers so each vserver admin will be able to define his own ACLs just
>>by defining ACL attributes on every file to be execcuted.
>>The VPS administrators using Reiser 4 will be able to define
>>process-oriented ACLs as they wish whenever they wish while VPS
>>administrators using grsec ACLs must rely on their host system
>>administrator to apply the rules as they better understand.
>>
>>
>>
>>
>>
>>>What do you think, maybe views instead of
>>>chroot() + mount --bind?
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>_______________________________________________
>>Vserver mailing list
>>Vserver_at_list.linux-vserver.org
>>http://list.linux-vserver.org/mailman/listinfo/vserver
>>
>>_______________________________________________
>>Vserver mailing list
>>Vserver_at_list.linux-vserver.org
>>http://list.linux-vserver.org/mailman/listinfo/vserver
>>
>>
>>
>>
>
>_______________________________________________
>Vserver mailing list
>Vserver_at_list.linux-vserver.org
>http://list.linux-vserver.org/mailman/listinfo/vserver
>
>_______________________________________________
>Vserver mailing list
>Vserver_at_list.linux-vserver.org
>http://list.linux-vserver.org/mailman/listinfo/vserver
>
>
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver