About this list Date view Thread view Subject view Author view Attachment view

From: Thomas Weber (l_vserver_at_mail2news.4t2.com)
Date: Thu 13 Jan 2005 - 21:44:06 GMT

[sorry for messing up the thread by answering personal and forwarding to
the list earlier]

On Thu, Jan 13, 2005 at 07:26:30PM +0100, Herbert Poetzl wrote:
> On Thu, Jan 13, 2005 at 05:46:10PM +0100, Thomas Weber wrote:
> > On Thu, Jan 13, 2005 at 05:12:43PM +0100, Herbert Poetzl wrote:
> > > > So I think the util-vserver package should make sure that there is
> > > > capability support in the kernel before starting the vserver or else it
> > > > will silently run insecure vservers!
> > >
> > > well, IMHO that is something beyond the scope of
> > > util-vserver. why? simple, you would encounter the
> > > same issues on a vanilla system, if you do not load
> > > or compile in the capability stuff, similar to the
> > > issues you will encounter if you do not compile in
> > > support for ipv4, which clearly is _not_ something
> > > util-vserver should take care of when starting a
> > > new vserver ...
> >
> > I don't think it's much diffrent than checking the permissions of
> > /vservers and giving a warning...
> do the tools warn on misconfigured barriers?

at least the old ones did.

> (not sure about that) but agreed, a warning would
> be nice, unless it gives false positives ...

more than nice.

> (I guess patches are welcome ;)

if you have to try using capabilities in order to detect kernel support
for it, wouldn't it be more usefull to have the capability system
generate an entry in /proc (or /sys)? And no, I'm not a kernel hacker.

> > I don't consider myself a newbie, and I'm running vservers for quite
> > some time now - this wasn't a know issue to me and it's not very
> > obvious to figure out. Yet I'm glad this was a problem for me, because
> > an as you call it 'clean vserver config' would not have triggerd this
> > behaviour and maybe I would now run totally insecure vservers without
> > knowing. Maybe there are already lots of insecure vservers up and
> > running out there.
> probably, at least with debian it seems to be default
> to build linux-caps as module and _not_ load it on
> bootup (hopefully that will be fixed soon)

building linux-caps as module was my decision. I don't use debian
packages for the kernel. I compile it myself. Like most people I expect
something to fail if the kernel doesn't have support for it (coming from
2.4 kernels one might even expect it to load automatically).

Vserver mailing list

About this list Date view Thread view Subject view Author view Attachment view
[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Thu 13 Jan 2005 - 21:44:34 GMT by hypermail 2.1.3