On Mon, Oct 03, 2005 at 07:28:29PM +0200, Herbert Poetzl wrote:
> On Sun, Oct 02, 2005 at 10:01:45PM -0700, Robin Lee Powell wrote:
> > The app I want to run in a VServer, mooix, creates (among other
> > special things) TTY device files. If I run it without
> > CAP_MKNOD, I get:
> >
> > cp: cannot create special file
> > `/var/lib/mooix/system/sessionmanager/sessions/item1/tty':
> > Operation not permitted Unable to copy /dev/pts/10 to
> > /var/lib/mooix/system/sessionmanager/sessions/item1/tty; perhaps that
> > directory is mounted nodev? at /usr/share/mooix/mooix-pty-helper.pl
> > line 66. open tty for write: Permission denied
>
> 'copying' device nodes is not a good idea, your tool should make
> symlinks instead ...
Unfortunately, it patches the open() call with O_NOFOLLOW for
security reasons...
I think I have an app-level solution, though. Thanks for the
warning that it's a major hole.
-Robin
-- http://www.digitalkingdom.org/~rlpowell/ *** http://www.lojban.org/ Reason #237 To Learn Lojban: "Homonyms: Their Grate!" Proud Supporter of the Singularity Institute - http://singinst.org/ _______________________________________________ Vserver mailing list Vserver@list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserverReceived on Mon Oct 3 18:44:42 2005