From: Gregory (Grisha) Trubetskoy (grisha_at_ispol.com)
Date: Thu 13 Jan 2005 - 17:43:26 GMT
On Thu, 13 Jan 2005, Herbert Poetzl wrote:
> On Thu, Jan 13, 2005 at 03:27:19PM +0100, Thomas Weber wrote:
>> So I think the util-vserver package should make sure that there is
>> capability support in the kernel before starting the vserver or else it
>> will silently run insecure vservers!
> well, IMHO that is something beyond the scope of util-vserver. why?
> simple, you would encounter the same issues on a vanilla system, if you
> do not load or compile in the capability stuff, similar to the issues
> you will encounter if you do not compile in support for ipv4, which
> clearly is _not_ something util-vserver should take care of when
> starting a new vserver ...
If I try to configure ipv4 on an interface using a kernel that does not
have ipv4 support I presume I will get an error (I've never actually tried
running a kernel sans ipv4) - it sounds like util-vserver tools don't
error out when you try to set a capability on a kernel that does not
support them, which IMHO is not right.
Vserver mailing list