On Sun, Oct 02, 2005 at 10:01:45PM -0700, Robin Lee Powell wrote:
> The app I want to run in a VServer, mooix, creates (among other
> special things) TTY device files. If I run it without CAP_MKNOD, I
> cp: cannot create special file
> Operation not permitted Unable to copy /dev/pts/10 to
> /var/lib/mooix/system/sessionmanager/sessions/item1/tty; perhaps that
> directory is mounted nodev? at /usr/share/mooix/mooix-pty-helper.pl
> line 66. open tty for write: Permission denied
'copying' device nodes is not a good idea, your tool
should make symlinks instead ...
> The code in question:
> system("cp", "-a", $tty, $dest);
> (running from perl)
> I strongly suspcet that the $tty arg was /dev/pts/10; I can verify
> this if it matters.
> My questions:
> Is there another way to give the VServer the ability to do this sort
> of thing?
> If not, is there an easy fix to the perl code to do the same thing
> without running into whatever is causing this?
see suggestion above ...
> If not, how dangerous is CAP_MKNOD really? My threat model assumes
> people getting root inside the VServer.
with CAP_MKNOD you can root the host too, so it's really
something you do not want to give a guest ...
> http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/
> Reason #237 To Learn Lojban: "Homonyms: Their Grate!"
> Proud Supporter of the Singularity Institute - http://singinst.org/
> Vserver mailing list
Vserver mailing list
Received on Mon Oct 3 18:28:44 2005