[Vserver] security implications of having /dev/mem in a guest

From: Tony Lewis <gnutered_at_yahoo.com.au>
Date: Tue 14 Mar 2006 - 00:03:09 GMT
Message-ID: <4416083D.903@yahoo.com.au>

I installed a muck-around vserver guest as an Ubuntu desktop (though
never finished setting it up to log in remotely). Doing an upgrade now
wants to run dmidecode as part of the postinstall. This wants access to
/dev/mem, which of course doesn't exist in the guest. Plus to be useful
I guess I'll have to grant the SYS_RAWIO capability to the guest too?

What are the security implications of having /dev/mem plus RAWIO
capabilities in a guest? My armchair guess is that a root process in
the guest would have read (and write?) access to the entire memory space.

Tony Lewis

Vserver mailing list
Received on Tue Mar 14 00:03:48 2006

[Next/Previous Months] [Main vserver Project Homepage] [Howto Subscribe/Unsubscribe] [Paul Sladen's vserver stuff]
Generated on Tue 14 Mar 2006 - 00:03:52 GMT by hypermail 2.1.8