From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Fri 17 Sep 2004 - 18:22:46 BST
On Fri, Sep 17, 2004 at 10:37:20AM -0400, Gregory (Grisha) Trubetskoy wrote:
>
> On Fri, 17 Sep 2004, Herbert Poetzl wrote:
>
> >On Thu, Sep 16, 2004 at 10:29:52PM -0400, Gregory (Grisha) Trubetskoy
> >wrote:
> >>
> >>Is it possible to somehow use mount --bind from within a vserver?
> >>(vs1.28).
> >
> >not in a secure way with the 2.4 stable branch, but it is with recent
> >2.6 (vs1.9.x) devel branch ...
>
> Thanks
>
> >of course, after adding enough CAPs, everything is possible ...
>
> We do something like this to allow ping and traceroute - there is an
> outside process that reenters the vserver to execute a particular command
> with an elevated capability.
ping and traceroute should also work fine with 2.6 devel
branch ... without the need for additional CAPs ..
> At first look it seems that mount --bind obeys chroot and it should be
> safe for us to allow it as well, or is there some apparent security
> problem with this?
well, namespaces make --bind mounts secure, chroot
jails might pose some security issues ...
best,
Herbert
> There is more details on the aforementioned kludge here for those
> interested:
>
> http://www.openvps.org/cvs/viewcvs.cgi/oh-host/ohd/README?rev=1.1&content-type=text/vnd.viewcvs-markup
>
> Thanks for your help!
>
> Grisha
_______________________________________________
Vserver mailing list
Vserver_at_list.linux-vserver.org
http://list.linux-vserver.org/mailman/listinfo/vserver