From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Thu 13 Jan 2005 - 18:44:29 GMT
On Thu, Jan 13, 2005 at 12:43:26PM -0500, Gregory (Grisha) Trubetskoy wrote:
> On Thu, 13 Jan 2005, Herbert Poetzl wrote:
> >On Thu, Jan 13, 2005 at 03:27:19PM +0100, Thomas Weber wrote:
> >>So I think the util-vserver package should make sure that there is
> >>capability support in the kernel before starting the vserver or else it
> >>will silently run insecure vservers!
> >well, IMHO that is something beyond the scope of util-vserver. why?
> >simple, you would encounter the same issues on a vanilla system, if you
> >do not load or compile in the capability stuff, similar to the issues
> >you will encounter if you do not compile in support for ipv4, which
> >clearly is _not_ something util-vserver should take care of when
> >starting a new vserver ...
> If I try to configure ipv4 on an interface using a kernel that does not
> have ipv4 support I presume I will get an error (I've never actually tried
> running a kernel sans ipv4) - it sounds like util-vserver tools don't
> error out when you try to set a capability on a kernel that does not
> support them, which IMHO is not right.
agreed, but you have to complain to Linus, as setting
(and getting) the caps for a process works just fine,
even when the capability system is missing ... so the
tools have no easy way to detect this ...
the only way to detect it, is to drop some caps and
do something evil, if it fails, everything is fine ;)
> my $0.02
> Vserver mailing list
Vserver mailing list